Keeping you and your customers’ information secure is incredibly important, which is why PCI compliance is essential for businesses. But before we get ahead of ourselves, what is PCI DSS and do you need PCI certification?
What does PCI DSS compliance mean?
PCI DSS (Payment Card Industry Data Security Standard) refers to the set of standards that businesses and service providers must comply with when securely accepting, storing, transmitting or processing cardholder data. The purpose of PCI compliance is to prevent you and your customers from fraudulent activity and data breaches.
Do I need to be PCI compliant?
Technically speaking, PCI compliance is not a legal requirement in UK law, but non-compliance could land you in hot water with the Information Commissioner’s Office (ICO), the UK’s independent body to uphold information rights. Your customers’ personal information falls under the Data Protection Act and GDPR, so if you accept credit or debit card payments for goods and services, you need to comply with PCI DSS standards to avoid the risk of legal actions and financial penalties.
Do I need to get PCI certification?
Making sure that your business is PCI compliant can give you peace of mind in knowing that you are doing all you can to ensure your customers’ data is secure.
All payments using our terminals, NatWest Tap to Pay or Payment Gateways are securely encrypted using Payment Card Industry Security Standards Council (PCI SSC)-approved Point-to-Point Encryption (P2PE) by default. However, if we determine that you are subject to additional requirements, you will be provided with Safe Pay, our PCI DSS compliance validation service.
This service is charged monthly, per physical or online store and allows you to confirm that your business handles cardholder data securely, as is required by the Payment Card Industry Security Standards Council. The cost will be confirmed during your application.
In that scenario, you’ll be asked to complete a self-assessment questionnaire and carry out a vulnerability scan of your business. It’s all very straightforward and you’ll be guided through the process at each step of the way.
How do I become PCI compliant?
There is no magic wand that awards PCI compliance to a business; instead, you need to continually monitor your payment processes as a business and make improvements where necessary to protect your customers. While every business is different, here are some general steps you may be able to take:
- Do not store or keep any customer till receipts, as these may contain personal data.
- Keep your merchant till receipts stored and locked away.
- If you’re selling through a website, use strong passwords that won’t be easy to guess.
- Use anti-virus software to protect any work devices such as computers and mobile phones.
- Monitor your card machines to check that no one has tampered with them.
The four levels of PCI compliance
Businesses come in all shapes and sizes, and it’s worth noting that PCI security standards may differ according to the scale and nature of an organisation, as some data breaches have more severe consequences than others. Here is an overview of the four PCI compliance levels which are set by credit card companies:
Level 4 – If you process fewer than 20,000 e-commerce transactions in a year, or up to one million regular transactions in that period, you’ll be categorised as PCI level 4.
Level 3 – If you process between 20,000 and one million e-commerce transactions each year, you’ll fall under level 3.
Level 2 – If you process between one and six million transactions per year, then regardless of the channel, you’re classified as level 2 for PCI compliance.
Level 1 – If you process more than six million transactions per year – through any channel – and if your business has previously been victim of a data breach, you’ll be categorised under level 1.
Types of PCI assessment
Once you know what PCI level your business belongs to, you can seek an audit for your organisation to see if you’re PCI compliant. As a Tyl merchant you will be notified if you are required to complete a Self-Assessment Questionnaire (SAQ) through our PCI portal. In general, here are the four types of PCI assessment
1. Qualified Security Assessor (QSA) – A QSA is an independent security organisation that has the approval of the PCI Security Standards Council to validate a company’s PCI compliance.
2. Internal Security Assessor (ISA) – If you’d rather have a PCI assessment carried out within your organisation, ISAs are one way to check your security is up to scratch.
3. Report on Compliance (ROC) – Level 1 organisations must get a completed ROC each year from a QSA or ISA, rather than a self-assessment.
4. Self-Assessment Questionnaire (SAQ) – Level 2 and 3 (with some Level 4) organisations should complete a SAQ using guidelines set out by the PCI Security Standards Council. The nature of your business will determine which type of SAQ you need to complete.
Does PCI compliance cost money?
Securing your business’s payment operations can come with associated costs, but becoming a victim of digital fraud could be far costlier.
You can pay an ongoing monthly or annual fee to ensure you are PCI compliant to account providers such as PayPal or Worldpay; you can expect to pay £5 to £20 per month for these checks.
You may also wish to pay for a PCI DSS audit, which can give you proof of compliance. These auditing costs can be as little as £100, or up to £50,000 depending on which PCI level your company falls into. Other costs can include everything from anti-virus software and paper shredders to training staff on PCI compliance.
Keeping you and your customers safe
Becoming PCI compliant needn’t be a head scratching affair. Get more insight from Tyl on how to keep your business secure, from PCI compliance to making payments overseas. And check out our blogs for expert advice on everything from mobile to MOTO payments.
(Fees Apply)