Get Started Today!  (415) 295-4898

croom new

415 IT Blog

PCI Compliance and Your Business

PCI Compliance and Your Business

The days of the cash-only business are over. It doesn’t matter if your business is a multinational corporation or you cut grass for a living, accepting payment cards is not only convenient for your customers, most of the time it’s the most secure way to get paid. In an effort to protect the personal and financial information of consumers who have come to depend on their payment cards, the banks that back the credit card industry have developed a regulation that businesses who process cards need to adhere to. Today, we will go over this regulation and how it affects small and medium-sized businesses

Unpacking PCI 

What is known as PCI Compliance, is actually the Payment Card Index Digital Security Standard (PCI DSS). It was established in 2006 as an industry-wide standard, sponsored by what is now known as the PCI Security Standards Council made up of some pretty familiar names: Visa, Mastercard, American Express, and Discover. The council was established to regulate the credit card industry and manage the standards in which businesses would be held to improve consumer privacy. 

The first thing you should know is that PCI standards apply to all businesses that accept payment cards. If your business stores information or processes payment using digital payment, you have to maintain PCI compliance. Here are 10 actions every business that accepts payment cards needs to take:

  1. Change passwords from system default
  2. Install all sufficient network security tools (antivirus, firewalls, etc.) that will work to protect card data
  3. Encrypt transmission of card data across public networks
  4. Restrict the transmission of card and cardholder data to “need to know” basis
  5. Assign user ID to all users with server or database access
  6. Make efforts to protect physical and digital access to card and cardholder data
  7. Monitor and maintain system security
  8. Test system security regularly
  9. Create written policies and procedures that address the importance of securing cardholder data
  10. Train your staff on best practices of accepting payment cards

Again, every single business that accepts the use of payment cards needs to be sure to accomplish these 10 things. Many businesses already do these things in the normal course of doing business, but if you don’t, and you accept payment cards, you are not in compliance and face severe rebuke. 

PCI and Business Size

Once you understand the global actions your business needs to take to stay in compliance, you then need to understand what level of merchant you are. According to the PCI Security Standards Council there are four levels of businesses that process credit cards. They are defined as follows:

  • Merchant Level #1 - A business that processes over six million payment card transactions per year.
  • Merchant Level #2 - A business that processes between one million-to-six million payment card transactions per year.
  • Merchant Level #3 - A business that processes between 20,000-to-one million e-commerce payment card transactions per year.
  • Merchant Level #4 - A business that processes less than 20,000 e-commerce payment transactions, and fewer than one million overall payment card transactions per year.

Since a breach at level 1 will likely affect more consumers, the PCI regulatory body--that doesn’t have the means to constantly check every business--spends more time regulating larger organizations than it does smaller businesses. That’s not to say that small businesses can’t face hefty fines and consumer attrition if they are non-compliant. Each level has its own specific mandate. Let’s go through them now.

Merchant Level #1
Doing massive business online and otherwise brings with it more responsibility. To maintain PCI compliance, Level one merchants need to:

  • Perform a yearly Report on Compliance (ROC) through a Qualified Security Assessor (QSA)
  • Allow an Approved Security Vendor (ASV) to complete a quarterly network scan
  • Complete the Attestation of Compliance Form for PCI Council records

Merchant Level #2
As transactions begin to decrease there are less stringent standards. Level two’s include:

  • Perform a yearly Self-Assessment Questionnaire (SAQ)
  • Allow an ASV to complete a quarterly network scan
  • Complete the Attestation of Compliance Form for PCI Council records

Merchant Level #3
Many medium-sized businesses will fall under this level and need to:

  • Perform a SAQ
  • Allow an ASV to complete a quarterly network scan
  • Complete the Attestation of Compliance Form for PCI Council records

Merchant Level #4
The majority of small business fall into level #4 status and like level’s two and three need to:

  • Perform a SAQ
  • Allow an ASV to complete a quarterly network scan
  • Complete the Attestation of Compliance Form for PCI Council record

Businesses found to be in noncompliance will often be subject to review and are often fined, given extra scrutiny, or have their privilege to accept payment cards revoked. Don’t allow this to happen to your business. If you have any questions about PCI DSS standards, or how to keep your business in compliance, call the IT professionals at 415 IT today at (415) 295-4898.

Tip of the Week: How to React When Your Workspace ...
Not All Threats are External


No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Thursday, July 16 2020

Captcha Image

By accepting you will be accessing a service provided by a third-party external to

Mobile? Grab this Article

QR Code

Tag Cloud

Security Tip of the Week Technology Productivity Best Practices Business Computing Data Backup Data IT Support Network Security Privacy Hosted Solutions Cloud IT Services Data Recovery Efficiency Software Business Internet Email Managed IT Services Outsourced IT Malware Innovation Tech Term Small Business Cloud Computing Collaboration Hackers Upgrade Cybersecurity User Tips Hardware Windows 10 Computer Microsoft Business Management Business Continuity Phishing Mobile Devices Google Communication Quick Tips Mobile Device Managed Service Provider VoIp Workplace Tips Ransomware Managed Service Backup Smartphones Paperless Office Android Smartphone Office 365 Business Technology Disaster Recovery Server Encryption Communications Browser Saving Money Remote Monitoring Data Management Managed IT Network Holiday Healthcare Artificial Intelligence Internet of Things Wi-Fi Remote Work Vulnerability Passwords Compliance BDR Windows 7 Microsoft Office Social Media Facebook Data Security Save Money Managed IT services Document Management Government Help Desk Miscellaneous Laptops Applications Users Employer-Employee Relationship Virtualization Information Project Management Processor Tip of the week Covid-19 Bandwidth Two-factor Authentication Scam Redundancy Health Vendor Management Automation Avoiding Downtime Antivirus Blockchain Router Software as a Service Storage Virtual Private Network Windows Machine Learning Chrome RMM Website Proactive Analytics Meetings Mobility Data Loss Company Culture Maintenance VPN Office IT Management IoT Regulations BYOD Hard Drive Customer Relationship Management Employee-Employer Relationship OneDrive Infrastructure Access Control Training Net Neutrality Managed Services Provider Apps HIPAA Utility Computing Remote Workers Bring Your Own Device Time Management Tablet Internet Exlporer Word Dark Web Augmented Reality Data Storage Smart Technology Patch Management Data Breach Social Network Unified Threat Management Computing Password Recycling Monitoring Remote Worker Mobile Office Alert Server Management Mobile Security File Management Remote Monitoring and Management Flexibility Financial Unified Communications Operating System Co-Managed IT Payment Cards Gadgets Networking Employees Assessment Management Electronic Health Records File Sharing The Internet of Things Search Information Technology Gmail Consulting Downtime Network Management Cooperation Risk Management Managed Services Consultation Files Professional Services Geography Lenovo Shared resources Going Green Business Telephone Customer Service Cache Break Fix Database Management PCI DSS Mobile Device Management Samsung Settings Personal Information Virtual Machines Favorites Touchscreen Hacking Cyber Monday Staff IT Consulting 5G Mobile VoIP Remote Working Wireless Social Networking Permissions Read Only Security Cameras Screen Reader Computing Infrastructure Manufacturing Vendor Biometric Asset Tracking Backup and Disaster Recovery Identity Microsoft Excel Virtual Assistant SharePoint Bitcoin Heating/Cooling Modem High-Speed Internet Superfish Batteries IT Assessment MSP Finance Remote Computing Mail Merge User Error GDPR Point of Sale Tech Terms Transportation Active Directory Credit Cards Conferencing Trending Tech Support Wireless Internet Big Data Budget Google Calendar G Suite Fraud Printing Statistics Smart Tech Alerts Smart Devices Gamification Human Error Mobile Wasting Time Downloads Current Events Servers Travel Development CIO applications Digitize Authentication Virtual Reality Address WiFi E-Commerce Theft Windows Server Computers IT Technicians Cost Management Firewall Employer/Employee Relationships Apple Electronic Medical Records Motherboard Chromebook Windows Server 2008 Bluetooth Connectivity Comparison Licensing Techology Hard Disk Drives Sensors OneNote Permission Recovery Database Cookies Technology Tips Cables Shadow IT Authorization Migration eWaste Data Warehousing Notes Features Legislation Vulnerabilities User Management Holidays Politics Distributed Denial of Service Technology Laws Proactive Maintenance Solid State Drive Emergency Voice over Internet Protocol Multi-Factor Security Projects Private Cloud Specifications Outlook Disaster Resistance Solid State Drives Outsource IT How To Test Managing Stress Websites Nanotechnology Digital Payment Wires Hotspot Value of Managed Services Outsourcing WPA3 Chatbots Operations PowerPoint Printer Display Procurement Mobile Computing Teamwork IT Instant Messaging Mirgation Managed IT Service Unified Threat Management Cybercrime Cyber security Peripheral Return on Investment Optimization Bookmarks ROI Wearable Technology Star Wars Black Friday Shortcut Proactive IT Options Telephone Laptop Spam Enterprise Content Management Cyberattacks Social SaaS App Mouse Language Video Conferencing Fleet Tracking Zero-Day Threat Identity Theft Enterprise Resource Planning Money Printers CRM Education CEO Students Twitter Marketing Daniel Stevens Regulation

Latest Blog

Productivity is—generally speaking—the core goal of any modern software solution. Today, we wanted to go over a few tools that can boost your productivity and efficiency right now.

Latest News

We are proud to announce that 415 IT and our CEO, Daniel Stevens, were recently featured by CIO Applications. We discussed how and why we serve our clients, as well as some sneak peeks for our future. Read our interview by visiting:  https:...