Having a great product isn’t equal to business success. Your payment processing speed, checkout page quality, and payment methods choice matter. And that’s to name a few! In this article, we lay out everything you need to know about being PCI DSS compliant.
What is PCI Compliance?
PCI DSS is a set of regulations. It is invented by major payment card brands, such as Visa, MasterCard, American Express, Discover, and JCB. This set requires a business to comply with twelve general data security requirements. There are also about 200 additional sub-requirements. However, not all of them may be applicable to your business type. Getting PCI DSS compliant may seem overwhelming at first. But trust us, it’s easier than it looks. If you’re short on time, reach us out to get help with becoming PCI compliant.
Why do I, as a merchant, need to be PCI compliant?
If becoming PCI compliant is such a whole lot of work, then why do I even need it? Well, PCI DSS acts like a pass into the world of credit card payments. Yes, you won’t be able to accept credit card payments without being PCI DSS compliant. That’s the demand made by credit card networks, and it can’t be ignored.
PCI DSS is not part of any country’s law. However, it is an internationally used set of regulations the breach of which is severely penalized.
The 12 main PCI DSS requirements for merchants
Read these twelve main requirements, and you’ll probably agree that it makes perfect sense to become PCI DSS compliant:
|Goals||PCI DSS requirements|
|Build and Maintain a Secure Network||
|Protect Cardholder Data||
|Maintain a Vulnerability Management Program||
|Implement Strong Access Control Measures||
|Regularly Monitor and Test Networks||
Keep in mind that these twelve general requirements apply to all merchants, no matter their size or transaction volume. Yet, there are additional requirements. They come with your annual transaction volume growth. All in all, there are four different levels of compliance. Merchants under level 4 are those who have the lowest sales volume per year (less than $20,000). Merchants under level 1, in turn, are those who process the most significant annual volumes (over 6 million in transactions annually).
Six steps to becoming PCI compliant
When you’re ready to become PCI compliant, follow these six steps:
1. Analyze your compliance level.
To begin, analyze your current state. There are different security standards for different business types. They are based on how you process customer transactions, how you store data, what credit card companies and banks you work with, and what sales volume you have. Let’s say you want to accept Visa and MasterCard. Then, you need to analyze under which out of four compliance levels you fall, and how your business is described in PCI’s general standards.
2. Fill down the self-assessment questionnaire.
The self-assessment questionnaire (SAQ) is a guidebook merchants use to define their compliance level. In general, there are nine types of SAQ books. Don’t panic. Every book consists of a questionnaire for a particular business type. Your task is to choose a book that applies to your business. Once you’ve got it, the book will guide you through about a dozen different requirements, and for each, you’ll answer “Yes,” “No,” or “N/A.” That will help you to clarify all the pieces of your company’s payment security.
3. Adjust your website.
At this point, merchants often realize that their business does not correspond to at least one criterion. If that happens to you as well, make all the necessary security improvements to your business. Once you finish, get back to the SAQ test again.
4. Find a provider that uses data tokenization.
Data tokenization safeguards customers’ credit card information in a secure, web-based portal. Such an approach keeps your customer’s sensitive data protected. It also reduces the possibility of fraud or data breach. At Ikajo, we use data tokenization. That means, if you apply for a merchant account, we’ll help you to get PCI DSS compliant easily.
5. Complete a formal attestation of compliance.
Once you’ve made all the security updates, you are ready to fill out the formal attestation of compliance (AOC). This is a formality. However, it proves your business is fully compliant with all required PCI standards. There are nine different types of AOC. Once again, they are based on the nature and size of your business. When you’ve done that step, a qualified security assessor will review your ACO and develop a report on your compliance to validate your findings.
- File the paperwork.
When everything is finally ready, you’ll need to file the paperwork with your credit card companies and/or banks. You’ll have to submit your SAQ, your AOC, and any other paperwork that may be requested by the banks/CC companies. After that, you wait for approval that won’t be long in coming.
Getting PCI compliant is a must for every business that aims to accept credit card payments online. All in all, you can always find a payment provider that knows how to handle all kinds of data and takes all the PCI DSS burden off your shoulders. Reach us out to get help with becoming PCI compliant.