What is PCI Compliance?
Do you take card payments? You might not know it, but it’s your job to protect your customer’s financial information. Which means you need to comply with the Payment Card Industry Data Security Standard (PCI DSS Compliance). This is a mandatory security requirement that applies to all businesses taking card payments in person, over the phone or online – it helps keep both you and your customers safe from data breaches. But who oversees all this? The PCI Security Standards Council. They require all major card types (like Visa, Mastercard and American Express), payment service providers, banks, and any other organizations/businesses that process card payments to prove they’re PCI compliant. As you might imagine, it’s a big operation.
Which businesses need to be PCI Compliant / Certified?
As we already touched upon, when you accept a card payment, you and your customer are sharing sensitive, financial information. This needs to be protected. That’s why PCI compliance is crucial. All businesses in the UK need to be PCI compliant within two months of signing up with their card payment provider or they could face costly fines.
PCI Compliance Levels
There are four levels of PCI compliance. Each one has their own different requirements. The level in which which your business falls into depends on how many card payments you take annually. See which level you are…
Businesses processing over 6 million card transactions annually across all channels.
Businesses processing 1 million to 6 million card transactions annually across all channels.
Businesses processing 20,000 to 1 million e-commerce transactions.
Businesses processing processing less than 20,000 e-commerce transactions annually and all other merchants processing up to 1 million card transactions annually.
Level 1 businesses must have yearly on-site reviews by an internal auditor as well as a required network scan by an approved scanning vendor. You’ll find a full list of approved scanning vendors online from the PCI Security Standards Council. Any businesses that fall into levels 2, 3 or 4 must complete the PCI DSS Self Assessment Questionnaire every year and undergo quarterly network security scans with an approved scanning vendor.
If you want to see the full steps you need to take for becoming PCI compliant have a look at our Card Payment Security Guide here.
PCI Compliance requirements
To become compliant, you’ll need to meet certain security requirements. This means you might have to update your systems, including software and hardware, in order to become compliant. Here is the full list of requirements:
Install and maintain a firewall to protect your customer’s data. Make sure you don’t use any vendor-supplied defaults for system passwords.
Make sure your public networks are encrypted in order to protect data that’s stored on your systems.
Vulnerability Management Program
Regularly update anti-virus software on systems that can be affected by malware, keeping both your systems and applications secure.
Restrict access to data
Assign unique IDs to those with computer access and limit physical access to cardholder data. This will prove that you’ve implemented strong access control measures.
Regularly monitor and test networks
Track all access to network resources, so you can identify any weaknesses that compromise your security.
Maintain a policy that addresses information security.
While you might already have most of the above in place, formalising these measures is good practice and ensures that they’re in a position to be maintained. So you can avoid liability in the event of data theft.
Remember: We can help you complete this lengthy process over the phone by avoiding costly mistakes and saving you time so that you can focus on running your business.
PCI Compliance Costs
Costs depend on a few things like the size of your business size, the type of card payments you take and the amount of transactions you process a year. Also, as mentioned above, you’ll need to make sure your software is updated. This is why costs can vary.
As a guideline, you’ll need to pay a monthly PCI management fee, which is included in your quarterly invoice from your card payments provider. This helps manage compliance on your account and membership to the PCI programme, including helping you with quarterly scans of your network and providing you with security advice. Bear in mind, compliance fees might increase if your business isn’t complying with the regulations.
PCI Charges for non-compliance
At Paymentsense, we do all we can to help you become compliant. This includes sending you reminders and calling you from time to time to see if everything’s okay. At the beginning of your contract with us, you have a two month grace period before you’re liable for monthly non-compliance fines which will be charged by the Payments Card Industry Security Council. The charges for non-compliance start from £35 + VAT. These will be automatically charged to your account for each non-compliant calendar month.
How to become PCI Compliant
We know compliance might sound complicated. But don’t worry, we’ve got you. While you will need to fill out a self-assessment form (which can be up to 300 questions), we’ll be with you every step of the way online or over the phone and ensure you avoid any costly errors. The PCI Compliance lasts for a year and of course, we are going to let you know once it needs to be renewed and guide you through the process.
You must complete self-assessment every 12 months to assess the potential risks of your payment process system. Our PCI Portal guides you through the whole thing, helping you report your compliance and meet industry standards. We send you login details when you sign up.
When you sign up with us, and we’ll talk you through the whole assessment while you’re on the line – in no time and with no costly mistakes.
We make compliance easier to understand. It’s not cheating, promise. Keeping your customers’ data secure is serious stuff, so once we’ve guided you through the process you’ll know you’re covered. We’ll talk you through your compliance from start to finish. And make renewing annually a cinch.