If Your Clients Accept Credit Cards, They Need To Be in Compliance
You don’t have to be a small business owner to know that credit cards have transformed the way we buy and sell. But as payment processing becomes more sophisticated, the way criminals steal information becomes more sophisticated, too. That’s why the industry created the Payment Card Industry Data Security Standard (PCI DSS)—and if your clients accept payment with credit cards, they’ll need to be familiar with it.
Created by the major credit companies including Visa, Mastercard, and American Express, these standards are meant to protect sensitive consumer data. This applies to businesses of all sizes—if your clients accept even one credit card payment, they will need to follow these rules.
At ProWriters, we know this can be tricky for smaller companies. Our cyber experts work constantly to monitor changes in regulations and keep brokers and their clients informed. We also provide access to exceptional cyber insurance products that reflect the ever-changing rules and threats that affect payment processing. As part of our commitment to helping navigate the compliance landscape, we’ve outlined the PCI compliance guidelines for small businesses.
Understanding PCI Levels and What They Mean for Small Business
There are four levels of PCI compliance to which companies need to adhere. The level that applies to them depends mostly on the volume of transactions they are processing. Using two of the largest card payment companies, Visa and Mastercard, the levels are as follows:
- Level 1: More than six million Visa/Mastercard transactions per year
- Level 2: Between one and six million transactions per year
- Level 3: Between 20,000 and one million eCommerce transactions per year
- Level 4: Fewer than 20,000 eCommerce transactions or up to one million storefront transactions per year
When it comes to PCI compliance for small businesses, your clients will most likely fall in the Level 4 category. To qualify as PCI-compliant, Level 4 merchants will need to complete the Annual Self-Assessment Questionnaire (SAQ.) They may also need to complete a quarterly network scan.
How to Complete the Annual Self-Assessment Questionnaire and Quarterly Network Scans
To complete the Annual Self-Assessment Questionnaire (SAQ), your clients will need a Payment Card Industry Data Security Standard Report on Compliance (PCI DSS ROC.) This is available on the PCI security standards website. There are several different forms to choose from, and this can be confusing for clients. Though it will vary case by case, most of your clients will likely need to complete the SAQ “A” form. It is important to choose the right form because it will come attached with the appropriate Attestation of Compliance that is needed to complete the SAQ.
In addition to the annual SAQ, your small business clients will be required to complete a quarterly network scan. This is an evaluation that scans for vulnerabilities with respect to receiving payments. This must be completed by an Approved Scanning Vendor (ASV) in order for your clients to be in PCI compliance. You can find a searchable list of ASVs on the PCI website.
Because we value streamlining and simplicity, we highly recommend Trustwave. As a preeminent cyber security and managed security services firm, they are qualified to perform the required quarterly network scan. But more than that, Trustwave can simplify the entire compliance process for your clients. Their website includes step-by-step instructions to help your clients navigate the compliance landscape and make sure they’ve met all of the requirements.
Recent PCI Changes for Small Businesses
It is well-documented that small businesses are a preferred target for cyber criminals. In light of this, Visa announced new data security requirements for small merchants that went into effect in 2017 and are now part of the PCI compliance guidelines for small businesses.
With these changes, Level Four merchants must use Qualified Integrators and Reseller (QIR) Professionals who have been PCI-certified. QIRs are professionals who are authorized to install, configure, and repair payment systems. On the assessment questionnaire detailed above, there will be a question along the lines of, “Does your company use a Qualified Integrator & Reseller?” As of 2017, your clients should be able to answer “yes.”
The PCI website offers the PCI Qualified Integrators and Resellers List to help find QIRs. The list is searchable by region, individual name, company name, or certificate number and is continually updated with new approved QIRs.
Using a Third Party and PCI Compliance
For small businesses who outsource their payment processing, they may ask if they need to be PCI compliant. While it may seem like compliance would not be necessary at that point, it is in fact still required. This applies even to businesses that have fully outsourced all payment processing and do not store or transmit any cardholder data.
While using a third party does not exempt a company from PCI compliance, it can simplify the PCI compliance process for small businesses. This is because it can reduce their risk exposure and reduce the number of steps required to reach compliance (for instance, they may only need to complete the (SAQ.) However, while it’s possible to outsource payment processing, you can’t outsource liability. A third-party breach means your client can still be held liable, which is one reason why cyber insurance protection is so important.
The important thing to keep in mind is minimum PCI compliance is not the same as comprehensive data security. PCI-compliant companies are still hacked in major data breaches. To mitigate their cyber exposure, your clients will need cyber liability insurance. To learn more about PCI compliance or the insurance packages available, speak with a cyber expert from ProWriters today!