top of page
Search

PCI Compliance: What You Need to Know


Have you received PCI Compliance emails from Intuit or other private companies? Here's everything you need to know! If you use QBO Payments, go here: What if I use QBO Payments?

PCI compliance refers to following the Payment Card Industry Data Security Standard (PCI DSS), a set of security standards created to protect credit card information during and after a financial transaction. Any business that stores, processes, or transmits credit card data must be PCI compliant.


What is PCI DSS?

  • PCI DSS is a set of requirements established by the PCI Security Standards Council (founded by major credit card brands: Visa, MasterCard, American Express, Discover, and JCB).

  • The goal is to prevent credit card fraud, hacking, and security breaches.


Who Needs to Be PCI Compliant?

  • Any business (retail, online, service provider, etc.) that accepts, processes, stores, or transmits credit card information.


Key Requirements of PCI DSS


There are 12 main requirements grouped into 6 categories:


  1. Build and Maintain a Secure Network

    • Install and maintain a firewall.

    • Avoid using vendor-supplied defaults for passwords.

  2. Protect Cardholder Data

    • Protect stored cardholder data.

    • Encrypt transmission of cardholder data across open, public networks.

  3. Maintain a Vulnerability Management Program

    • Use and regularly update antivirus software.

    • Develop and maintain secure systems and applications.

  4. Implement Strong Access Control Measures

    • Restrict access to cardholder data to “need to know” only.

    • Assign a unique ID to each person with computer access.

    • Restrict physical access to cardholder data.

  5. Regularly Monitor and Test Networks

    • Track and monitor all access to network resources and cardholder data.

    • Regularly test security systems and processes.

  6. Maintain an Information Security Policy

    • Maintain a policy that addresses information security for employees and contractors.


How to Become (and Stay) PCI Compliant


  1. Determine Your Merchant Level

    • Levels are based on the number of transactions per year. Most small businesses are Level 4 (less than 20,000 e-commerce or up to 1 million in-person transactions/year).

  2. Complete the Self-Assessment Questionnaire (SAQ)

    • Most small businesses complete an annual SAQ, which is a checklist covering the PCI DSS requirements.

    • Choose the right SAQ type based on how you handle credit cards (e.g., in-person, online, through third-party processors).

  3. Conduct Quarterly Network Scans (if required)

    • If your systems are connected to the internet, an Approved Scanning Vendor (ASV) must scan your network every quarter.

  4. Fix Any Security Issues

    • Address any vulnerabilities identified in your SAQ or network scan.

  5. Submit Compliance Documents

    • Submit the SAQ, Attestation of Compliance (AOC), and scan results to your acquiring bank or payment processor.

  6. Maintain Compliance Year-Round

    • PCI is not a one-time event. Continuously monitor, update systems, train staff, and follow security best practices.


Best Practices for Small Businesses


  • Use PCI-compliant payment processors. If you use Square, Stripe, Shopify, Clover, etc., much of the compliance is handled for you, but you still need to ensure your practices align.

  • Never store cardholder data unless absolutely necessary—and if you do, it must be encrypted and protected per PCI DSS.

  • Train employees on security awareness.

  • Regularly review your systems and procedures for any gaps.


Getting Started: Simple Steps

  1. Contact your payment processor—most have PCI resources, support, and may offer compliance tools.

  2. Fill out the right Self-Assessment Questionnaire for your business type (find them here).

  3. Keep all compliance records and renewal reminders.


Penalties for Non-Compliance

  • Fines from card brands

  • Possible termination of your ability to accept credit cards

  • Liability in case of a data breach


Helpful Resources


Bottom line:


PCI compliance is about protecting your customers’ credit card information and your business from costly data breaches and penalties. For many small businesses, using a reputable payment processor and following best practices will cover most requirements—but you should still complete the SAQ annually and stay informed.



 
 
 

Comentarios

Privacy Policy

*These are not guaranteed savings. Savings may be more or less and will be determined during your assessment based on your business size and circumstances.

©2024 by Ravenwood Accounting. All Rights Reserved

bottom of page