Chances are you found this page because you’re a small business owner who heard about PCI compliance. Maybe you were notified by a bank or payment processor that you need to be compliant, or you read somewhere that similar businesses to yours have had to be compliant.
In either scenario, you probably weren’t expecting it, and now this is another, seemingly complicated item on your to-do list.
There are a lot of misconceptions about PCI compliance for small business.
In this article, we’ll look at what PCI compliance truly means for small businesses, what your obligations are to being PCI compliant as a small business owner, why PCI compliance should be a priority in your business activities, and detail some common mistakes to avoid on your compliance journey.
If you’ve never looked at PCI before or have been through an audit or two, this article will help you filter out the noise and focus on what matters with PCI compliance for your small business.
(NOTE: If you need expert advice on your PCI compliance, our free tool below matches you with a top-rated PCI consultant who can meet your needs and budget)
- What is PCI Compliance?
- The Benefits of PCI Compliance for Small Business
- Does My Small Business Need to be PCI Compliant?
- Understanding PCI Compliance Levels For Small Business
- How Do I Know Which PCI Requirements Apply to My Business?
- Is There Any Way to Not Undergo PCI Compliance?
- What are the Consequences of Non-Compliance with PCI?
- What are The PCI Compliance Requirements for Small Businesses?
- Steps for a Small Business to Achieve PCI Compliance
- Common PCI Compliance Challenges for Small Businesses
- Do You Need A PCI Professional to Attain Compliance?
- Keeping up to Date with Changes to PCI
- Find the Right PCI Consultant Fast
What is PCI Compliance?
PCI DSS stands for Payment Card Industry Data Security Standard, which is a set of data security standards created by major credit card companies, such as Visa, Mastercard, and American Express, to ensure the safe handling of sensitive customer information.
Due to the increase of fraud online, the PCI council was created by the card brands to set security standards around card data to reduce online fraud from merchant accounts.
The result is a set of requirements for any entity that accepts, processes, stores, and/or transmits credit card information. These are systems and processes that must be in place in your business, to help safeguard payment card data. If they are not in place, you are liable to be fined or penalized. Worst of all, not meeting the PCI requirements increases your business’s risk of falling victim to a data breach.
The Benefits of PCI Compliance for Small Business
Most small business owners will start out thinking of PCI compliance as a burden. “Great, another set of arbitrary standards I need to meet, and what do I get in return?” But, while it can take time and resources in the early stages, attaining PCI compliance has a high upside for small businesses.
The benefits include:
- Reduced Risk of Financial Loss: Credit card fraud can be costly to businesses. In the event of card fraud coming from your business, you are liable for costly chargebacks. Not only that, if you are found to not be PCI compliant, you could also be liable for the monetary value of the fraud initiated on the stolen credit cards.
- Reputation: Being compliant reduces your risk of the kind of data breach that can destroy the reputation of a small business. But additionally, being able to demonstrate PCI compliance is a reputation booster. It says that you take security seriously and can help build trust with customers, clients and stakeholders.
- New Business: Depending on your business, PCI has the potential to open up new service lines, attract new customers and clients, and improve your relationship with banks and financial institutions that could help you grow.
Does My Small Business Need to be PCI Compliant?
If your small business accepts credit card payments at all, then the answer is yes, you need to be PCI compliant.
The PCI council defines PCI scope as any entity that accepts, processes, stores, and/or transmits credit card information.
But what if I fully outsource my payment processing through Stripe, Square, PayPal, or another third party? Yes, you still have some elements of PCI compliance that you need to adhere to.
Thankfully, outsourcing your payment processing takes a large portion of the compliance burden off your shoulders. However, depending on how you utilize Stripe and their platform, you may have more PCI requirements. For example:
- If you utilize the Stripe API to process payments on a server. If CHD is transmitted in your environment (even to Stripe), you have more responsibility for PCI on those systems.
- If you use a Stripe redirect or any other iFrame solution on an e-commerce website, your site can still impact the payment flow if compromised. For that reason, there are PCI compliance aspects (albeit much less than the first example) that will apply to your e-commerce website.
- If you create individual product links on Stripe and send them to customers to pay, and the entire payment process happens on customer-owned devices, you still will have to comply with an even smaller aspect of PCI compliance primarily in requirement 12.
What if I redirect customers to a payment portal or iFrame from my e-commerce website? Yes, you still have control over the card payment flow and your website needs to be secure from common vulnerabilities.
Fortunately, your payment processor will inform you of your obligations regarding PCI Compliance. Stripe for example, has a PCI compliance page inside your member’s area and actually helps fill out your SAQ (more on which below) for you!
It’s critical to understand here that each payment processor is different.
Square for example, claims that its sellers do not need to fill out a PCI SAQ.
Paypal leaves the question ambiguous, implying that they will take on some of the burden, but leaving unsaid the fact that some compliance burden will remain. On you.
It is important to remember that it’s up to the payment processor (Stripe, PayPal, etc.) to decide how they enforce compliance. To them, it is a calculation of risk. If you’re a low-volume merchant, so only exposed to a low level of risk, having you do all the paperwork and them monitor it may not make financial sense.
It is for this reason that many small businesses – who do technically have compliance requirements under PCI – never hear about it. Their payment processor has deemed the risk low enough that the compliance isn’t worth enforcing.
But this information comes with a warning: If you process credit card payments, your payment processor could choose to enforce PCI compliance at any moment. This is why it’s better to be informed of what your obligations could be, even if you don’t need to act on them until later down the line.
Once it’s clear that you have a PCI compliance obligation, the next step is to determine your compliance level.
Understanding PCI Compliance Levels For Small Business
The PCI Council defines levels based on the number of card transactions your business processes each year. The levels are
- Level 1: More than 6 million transactions per year. Level 1 merchants typically require a ROC performed by a QSA.
- Level 2: 1 million to 6 million transactions per year. Level 2 merchants are recommended to utilize a QSA to perform their assessments but can still typically perform an SAQ. Your payment processor or acquiring bank should tell you if you can self-assess or if you need a QSA.
- Level 3: 20,000 to 1 million transactions per year. Level 3 merchants typically can self-assess through an SAQ.
- Level 4: Fewer than 20,000 transactions per year. Level 4 merchants can also typically self-assess through an SAQ.
Most small businesses will be in either level 3 or level 4.
Depending on your compliance level, you will have a specific set of requirements, and a specific way that you’re required to demonstrate compliance. For example, lower PCI levels typically require a self-assessment questionnaire (SAQ) while larger volumes often include a more detailed Report on Compliance (ROC) which needs to be conducted by a third-party auditor, a QSA company.
How Do I Know Which PCI Requirements Apply to My Business?
No matter what, if you process card payments as a small business, you are applicable to some form of PCI requirements. Now, it’s completely up to your payment processor (Stripe, Square, PayPal, Authorize.net, or a bank that you work with directly) to determine the requirements that you need to attest to. Each small business is different. For this reason, it’s always best to work with a PCI Professional to determine what your specific reporting requirements are.
Real-Life Scenario: Small Business Processing with Stripe
For example, I have a small business that processes invoices through Stripe as well as have payment links that redirect product purchases to Stripe for payment. For my business, Stripe wanted me to attest to two things; if I use TLSv1.2 or higher during these transactions and if I keep my server(s) updated with patches within 30 days of release. From there, Stripe auto-generated an SAQ-A for me to attest to my small business’s PCI compliance for the current year.
What is a Payment Processor Exactly?
Your payment processor or acquiring bank is a service you use to connect to credit card networks. Don’t confuse this with your business bank account(s) where funds are deposited to. They will be able to provide information specific to your situation and assist you in determining the level of compliance required.
Based on your transaction levels, your payment processor or acquiring bank can accurately tell you the report they would like you to complete annually to demonstrate your PCI compliance to them.
Is There Any Way to Not Undergo PCI Compliance?
The best way to minimize your PCI compliance is by outsourcing your payment processing to third-parties as much as possible. If you accept card payments through any medium as a business (e-commerce website, point of sale systems, or over the phone) you will be applicable to some kind of PCI compliance responsibility. The less data you have control of, the smaller your assessment will be.
For example, with just a simple website that has an outsourced payment flow you would be applicable to an SAQ-A (card not present) at about 92 requirements. (Many of which may just be you marking N/A on the form)
This is much lower than a full SAQ-D which has about 330 requirements. The requirements in an SAQ-A focus primarily on website security, access to administrator accounts, and your policies/procedures for managing cybersecurity. I’m being brief here. Be sure to read the full SAQ-A for the comprehensive list of requirements.
There is one other way to avoid needing to be PCI compliant, and that is by not accepting credit card payments at all. If you choose to only accept other forms of payment, such as cash or bank transfer, then you will not be required to comply with PCI standards. Unfortunately, consumers today love to pay with credit and debit cards. If you wish to stay relevant in the online e-commerce space or even in-person stores, you should accept credit cards. And if you accept credit cards, you must be PCI compliant.
What are the Consequences of Non-Compliance with PCI?
To reiterate, if you are required to be PCI compliant and you are found not to be, you can face fines & penalties. But the worst consequence is the increased risk of a data breach. And a data breach is the worst of all consequences of PCI non-compliance.
As we’ve outlined in detail, a data breach where payment data is compromised opens your organization to fines from the acquiring banks in the PCI council, penalties from regulatory bodies, not to mention lawsuits, and their legal fees.
What are The PCI Compliance Requirements for Small Businesses?
Each small business is different, and as we mentioned before, the business processes you deploy to accept credit card payments will determine what kind of PCI reporting you have to perform.
To understand your specific situation, reach out to your payment processor or acquiring bank. These are the entities to which you must report your PCI compliance. Since they can see your transaction volumes, they can notify you to which level of compliance you must adhere.
Based on the PCI DSS requirements, there are six primary goals that businesses must align with for PCI compliance:
These primary goals are based on PCI DSS version 4.0. Version 3.2.1 is slightly different.
- Build and Maintain a Secure Network and Systems: This goal includes requirements 1 and 2. You must have the proper network and systems security measures in place to protect cardholder data within your network. As networks are the pathways into your environment, they must be protected as the first line of defense. These requirements cover things like deploying firewalls and other network security controls (NSCs) and ensuring that secure configurations are used for all system components that make up your cardholder environment (CDE).
- Protect Account Data: This goal looks at protecting the cardholder data itself, which includes credit card numbers, security codes, and personal information. This can be achieved through encryption (both at rest and in-transit), secure storage, and regular backups. These are requirements 3 and 4 in the PCI DSS.
- Maintain A Vulnerability Management Program: This goal makes sure that small businesses are monitoring and aware of their network or system vulnerabilities for all systems and applications used to process or store sensitive information. This can include regularly installing software updates and patches to address security vulnerabilities. These are requirements 5 and 6 in the PCI DSS.
- Implement Strong Access Control Measures: The less access granted to the data means a smaller risk of account compromises giving hackers access to cardholder data. This includes limiting access to cardholder data to only those employees who need it to perform their jobs. These are requirements 7, 8, and 9 in the PCI DSS and look at least privilege, secure authentication (including multi-factor authentication [MFA]), and restricting physical access to the equipment that stores, processes, or transmits cardholder data.
- Regularly Monitor and Test Networks: This goal ensures that small businesses regularly monitor their networks and tests the security measures to ensure they are functioning as intended. This typically includes penetration testing, vulnerability scanning through a PCI ASV, and other security audits. These are requirements 10 and 11 in the PCI DSS.
- Maintain an Information Security Policy: Finally, this goal ensures that small businesses develop and maintain policies and procedures for processing and storing cardholder data. Without the proper guidance in the form of policies and procedures, cybersecurity protections cannot be deployed in a uniform manner. This is requirement 12 in the PCI DSS.
Steps for a Small Business to Achieve PCI Compliance
Achieving PCI compliance can seem like a daunting task, but it’s simpler than it looks. Here is a general list of steps you can take to attain PCI compliance for your small business:
- Get Familiar with PCI Standards: Familiarize yourself with the PCI DSS requirements to understand what is required of you to be compliant. You can access these standards on the PCI Security Standards Council’s website.
- Assess Your Current Security Measures: Conduct an internal gap assessment of your current security measures to determine which areas need to be strengthened in order to meet PCI compliance requirements before your actual assessment. Read our other blog post “Is A PCI Gap Assessment Worth It? 5 Key Questions To Ask” to learn more. Being prepared will help your assessment run smoothly. The best way to put it is, “How do you know what you need to protect and how if you don’t know?”
- Determine Your Reporting Level: Before you know what PCI report you must complete to demonstrate compliance, you must determine your reporting level. Your payment processor or acquiring bank will be able to tell you the reporting level you are based on your transactions. See above for the 4 levels of PCI compliance. Remember you’re probably in level 3 or 4.
- Complete the Self-Assessment Questionnaire (SAQ): Based on your reporting level, you will complete the appropriate SAQ. There are multiple versions of SAQs depending on what business processes and technologies you have in place to accept card payments. You can consult with a QSA or PCI Professional, or ask your payment processor or acquiring bank, to help you determine the best SAQ for your business.
- Address Any Deficiencies: If your assessment reveals any deficiencies in your CDE or business practices, take steps to address them. This may include implementing stronger encryption, upgrading your firewalls, or increasing staff training.
- Ongoing Compliance Requirements: There are a number of PCI requirements that require ongoing monitoring. This can include internal/external vulnerability scanning, penetration testing, employee training, updating policies, performing access audits, and performing ASV scans.
The costs associated with achieving PCI compliance can vary depending on your reporting level, your business’s IT infrastructure and scope, and the extent of any work required to remediate assessment findings.
On average, the cost for a small business to attain compliance ranges from $2,000 to $20,000.
The timeline can also vary but is typically around 3-6 months. Again, each business is different, and depending on your reporting level, the report to complete, and your business processes in place for card processing can affect this timeline.
Common PCI Compliance Challenges for Small Businesses
Small businesses often face challenges when it comes to PCI compliance. Each small business will have its own unique challenges, but here are some of the most common challenges and tips to overcome them:
- Determining Your Scope: Determining PCI scope is one of the most important things you need to identify before starting compliance. Here are some tips to help you determine your PCI scope:
- Identify All Cardholder Data Locations: The first step in determining your PCI scope is to identify all cardholder data within your environment. This includes all systems and networks that store, process or transmit cardholder data. For more information on what can be included in your PCI scope reference this guide from the PCI Council’s website. This guide is a little dated but is still accurate.
- Seek Guidance: A QSA or PCI Professional can help you determine your PCI scope and provide guidance on compliance requirements. They can also perform an assessment of your environment and provide a report on any security gaps that need to be addressed. Use these experts to assist you in determining your scope to be as accurate as possible.
- Implement Data Minimization: Data minimization is a key strategy for reducing PCI scope. By minimizing the amount of cardholder data collected and stored, you can reduce the scope of your PCI compliance efforts.
- Maintaining Ongoing Compliance: PCI compliance is not a one-time event. Small businesses must maintain ongoing compliance to ensure the security of cardholder data. Make sure to follow the timelines of recurring PCI requirements (like ASV scanning, penetration tests, access control reviews, firewall rule set reviews, etc.) to maintain compliance in between your annual assessment.
- Implementing Technical Controls: It may be difficult to technical controls such as network security, firewalls or encryption, which are critical to PCI compliance. Depending on your IT infrastructure size, there are oftentimes significant costs for the general maintenance of these systems to remain effective. Seeking assistance from IT professionals or even a managed service provider can help reduce this challenge.
- Implementing PCI Changes: PCI standards are constantly evolving, and small businesses need to stay up-to-date with these changes to ensure ongoing compliance. Keeping a close eye on industry developments and seeking expert advice can help small businesses stay compliant. Currently, PCI DSS is transitioning from version 3.2.1 to version 4.0 which includes numerous changes. If interested, you can read our article called PCI DSS 4.0: How-To Guide For Compliance Teams In 2023 for more information on the changes from version 3.2.1 to version 4.0.
Some of these challenges might resonate to you and your small business. But you’re already one step ahead; you are now aware of them and can begin to plan accordingly. Getting ahead of these challenges, and identifying your specific challenges, can help your PCI compliance journey easier.
Do You Need A PCI Professional to Attain Compliance?
When it comes to achieving PCI compliance you, as a small business owner, have a choice: do you attempt to handle the process on your own or do you seek the assistance of a PCI professional? The answer to this question will ultimately depend on the individual needs of your business.
A PCI professional, such as an ISA or a QSA), is a specialist in the field of payment card security. They have the experience and knowledge to help businesses understand the requirements of the PCI DSS and to guide them through the compliance process. These professionals have been approved by the PCI Council through certification and exams to verify their knowledge.
There are several benefits to working with a PCI professional:
- Expertise: PCI professionals have the expertise to help businesses understand the PCI DSS and ensure that their compliance efforts are thorough and effective.
- Time-savings: Working with a PCI professional can save small businesses time and effort by reducing the learning curve associated with compliance. This can also help businesses focus on their core operations instead of compliance.
- Reduced Risk: By working with a PCI professional, small businesses can ensure that the assessment and implementation of the PCI controls is accurate and correct.
However, there are also some disadvantages to working with a PCI Professional, like cost. Hiring a PCI professional can be expensive. These PCI Professionals must maintain their certifications with the PCI Council and are specialists in the field. Like most other professionals, there is a cost associated with utilizing them.
Ultimately, the decision of whether to work with a PCI professional will depend on your specific business needs. If you have the expertise and resources to handle the compliance process on your own, you may not need to seek the assistance of a PCI professional. On the other hand, if you are unsure and aren’t confident about how to comply with the PCI DSS, working with a PCI professional may be your best option.
Keeping up to Date with Changes to PCI
Staying up-to-date with changes to the PCI DSS is important to maintaining PCI compliance. The PCI Council releases updates to the standards every so many years to keep the requirements current. As new changes are introduced, it’s your responsibility to keep up to date with the changes and be sure that they are integrated into your environment.
One way to stay informed is to regularly check the PCI Security Standards Council’s website for updates and changes. Additionally, you can sign up for the council’s newsletter or follow their social media accounts to receive notifications about updates, changes, new threats to the payment industry, and general trends to help you stay compliant.
Another way to stay informed is to work with a QSA, ISA, or PCI Professional, who can help you understand the updates and their impact on your business. They can also provide guidance on how to make any necessary updates to your cybersecurity practices. You should reach out to your PCI Professional at least once a year to make sure that there aren’t any new changes or updates you need to be aware of before your next PCI assessment.
By being proactive, staying informed about changes to the PCI DSS, and being PCI compliant, you can ensure you maintain compliance and reduce your risk of financial loss due to credit card fraud.