PCI Compliance is something that all merchants should be concerned about. Being out of compliance is likely a bigger concern because it can lead to some hefty fines. Accepting credit cards through a Merchant Services Provider or credit card processor requires the signing of a Merchant Agreement that binds your business to the rules and regulations required by card brands to ensure businesses and consumers are protected in transactions. All merchants using a processor such as Aurora Payments, Chosen Payments or One Payment must comply with PCI regulations.
What is PCI?
PCI stands for the Payment Card Industry and represents the five largest credit card issuers. These card companies created the Data Security Standard (DSS) to help reduce costly data breaches. Together, PCI DSS created a mandate required by card issuing companies like Visa and Mastercard to maintain compliance. The mandate includes fines for violations of compliance and merchants agree to pay these fines and the associated monthly non-compliance fees when signing a Merchant Agreement. Understanding PCI DSS compliance can be frustrating for most merchants, but it exists for a reason. It should be noted that PCI Compliance is not a law. It is a contractual agreement.
What is Compliant?
Being compliant means safeguarding your business and customers by safely and securely accepting credit cards, storing card data, processing cards, and transmitting cardholder data during transactions to prevent fraud and data breaches. Merchants of all sizes, service providers, banks, and other organizations that accept credit card payments must prove they are PCI compliant on an annual basis. Aggregators such as Square and PayPal don’t require their merchants to be PCI compliant. Since Square and PayPal are PCI Compliant themselves for all storage, processing, and transmissions of payment card data, their account holders do not need to certify they are PCI compliant.
Compliance Levels
There are four levels of compliance, and they are based upon annual transaction volumes and organization size which usually corelate to each other.
- Level 1 – Over 6 million transactions or Service Providers with more than 300,000 transactions annually.
- Level 2 – Between 1 and 6 million transactions or Service Providers with less than 300,000 transactions annually.
- Level 3 – Between 20,000 and 1 million eCommerce transactions annually.
- Level 4 – Less than 20,000 transactions annually.
Cost of Compliance
We are frequently asked about the cost of PCI DSS compliance. There isn’t a single answer, and the costs can vary from one company to the next. For most small businesses, PCI DSS compliance and certification can range from around $100 to $300 annually, while a large enterprise might expect to pay between $50,000 to more than $75,000.
Cost of Non-Compliance
If you fall out of compliance, you will be assessed a monthly PCI non-compliance fine until you become compliant. This fine is not assessed by your processor, nor does your processor get to keep the money collected. The fine is assessed by the PCI Council. Non-compliant merchants can be barred from handling transactions and cardholder data and can lead to a complete shut-down of your merchant account if ignored. Also, your business will be financially liable for all data breaches, credit card replacement costs, forensic audits, and investigations costs.
Annual Compliance Certification
In most cases, merchants considered Level 2 to 4 can simply complete an annual Self-Administered Questionnaire (SAQ) which is a self-validation tool. The SAQ contains a set of questions that merchants are required to complete each year and submit to their funding bank. There are 9 different SAQ questionnaires used based upon how you handle cardholder data. Once you have completed the SAQ, you are issued an Attestation of Compliance (AOC). Each questionnaire varies from 22 questions to over 329. PCI compliance for Level 1 merchants must be completed by an outside source. The PCI DSS Self-Assessment Questionnaire ranges from 19 to 87 pages and is created and distributed by the PCI Security Standards Council.
Basic Requirements
There are six basic requirements to compliance called "control objectives" that are established by PCI DSS:
- Build and Maintain a Secure Network and Systems
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
PCI Compliance can help prevent catastrophic financial losses. Aurora Payments can help you become or maintain your PCI Compliance. Have questions about compliance? Call us at 833-AURORA2 (833-287-6722) or send your question to: Hello@aurorapayments.com
