PCI compliance continues to be important for businesses, but not a lot of business owners are aware of what it exactly is. Let’s look closely at PCI compliance, why the standards were formed, and how small businesses need to comply with them.

What is PCI Compliance?

Credit card fraud reached epidemic levels at the start of the 2000s. Customers were starting to become uncomfortable with opening new credit lines, afraid that someone will run a fake transaction and leave them in debt. In view of this, in 2006 the biggest card companies (VISA, MasterCard, American Express, Discover and JCB) created the PCI-SSC (Payment Card Industry – Security Standard Council), whose cornerstone was the standard known as PCI- DSS (Payment Card Industry – Data Security Standard). The PCI-DSS standard defines the minimum data security requirements that must be met by any organization that transmits, processes, or stores payment card information.

PCI Compliance for Small Businesses

Many people mistakenly believe that if the company is small or makes only a few sales with cards, it is not obliged to comply with PCI. The truth is that PCI compliance for small businesses is just as important as it is for large businesses. The PCI consortium clearly defines that it does not matter if the organization is large or small: regardless of whether it sells products or services, or whether it is a for-profit or not-for-profit organization, while transmitting sensitive credit card data it must comply with the standard. There is specific information for small merchants available.

Few months back we prepared “Compliance Management Checklist for Small Businesses” be sure to check that.

What will change depending on the number of annual transactions that the organization makes, is the way in which compliance will be audited. Payment card companies have established four levels, whose definitions vary slightly between one company and another. But in which all agree is that those organizations that process more than six million annual transactions (Level 1 of the classification), must be audited by an auditing company authorized by the PCI consortium.

%%POST-CONTENT-DEMO-BANNER%%

However, most organizations, possibly including yours, are reached by Levels 2, 3 and 4. The advantage in these cases is that they are not audited by a QSA, but by a self-assessment questionnaire. called SAC (Self-Assessment Questionnaire). It must be completed by the organization, signed by the person responsible for compliance and sent to the payment card companies. This process is usually done annually or bi-annually depending on the organization and the level to which it belongs.

See how you can “make compliance management faster, better, and smarter”

Sometimes the card companies request evidence of compliance with the requirements, and in case any of them is not met, they can also ask that a plan be proposed to implement the security measures or that comply with it. Even when it is not possible to comply with a specific PCI requirement due to the characteristics of the business, it is totally valid to mitigate the associated risk by implementing compensatory controls.

An important point is that the requirements set out in the standard are aligned with other Security Frameworks, such as ISO 27001. And as in the case of ISO 27001, compliance with the standard does not only depend on the systems and technology, but on the entire organization, especially the top executives.

The good news is that the cost of PCI compliance is not very high for small businesses. It is not mandatory for companies to hire an external consultant to comply with the standard, although sometimes it ends up being faster and cheaper. With perseverance, knowledge of the organization, analysis and work, the organization itself can advance on its own and comply with the requirements.

Want to improve how your organization complies with different standards? The Predict360 compliance management system is just what you need. The flexible compliance management system is being used in multiple countries by many different companies. It streamlines and automates compliance management and can be customized to work with the standards that govern your industry and location. Get in touch with our team to get a demonstration of the capabilities of our American Bankers Association endorsed compliance management solution. We also have month long trials for interested parties.