7 Questions and Answers about PCI Compliance

Questions And Answers About PCI Compliance

To what extent does your company know about PCI compliance?

All companies that process and store credit card information must be compliant with the Payment Card Industry Data Security Standard (PCI DSS), often referred to as PCI compliance.

Whether you are processing credit card transactions from PDQ terminals or maintaining PCI compliance with over the phone transactions, there are bound to be some questions. Here is a helpful guide to the 7 most commonly asked questions on PCI compliance, complete with the answers to navigate you through the PCI minefield.

To whom does the PCI DSS apply?

Any company or organisation that accepts card payments, or transmits or stores cardholder data, must comply with the PCI DSS regulations.

I only take card payments over the phone, does the PCI DSS apply to my business?

Absolutely. Any businesses that accept card payments must be PCI DSS compliant, without exception.

What level of compliance do I fall into?

There are four bands that merchants can fall into. The band assigned to each merchant depends on the transaction volume, and each band comes with its own level of PCI compliance.

Level 4 applies to small businesses which process fewer than 20,000 eCommerce transactions and 1 million other transactions each year. Level 3 includes mid-sized businesses that process between 20,000 and 1 million eCommerce transactions annually. Level 2 applies to companies that process between 1 and 6 million transactions annually, and Level 1 applies to large businesses that process more than 6 million transactions each year.

What do I have to do for each level?

Level 4 businesses have to complete an annual risk assessment. The PCI self-assessment questionnaire (SAQ) is a simple yes or no questionnaire that will assess your current level of security for protecting cardholder’s data. You may also be asked to carry out quarterly PCI scans if you store cardholder information electronically. These must be carried out by an approved vendor.

Level 3 and level 2 businesses have to complete the same measures as level 4 businesses. But there is more chance of you being asked to carry out quarterly PCI scans if your business processes a larger volume of transactions.

Large businesses which fall into the level 1 category have to complete quarterly PCI scans and agree to an annual internal audit carried out by an independent PCI auditor.

How much will this cost my business?

Depending on your required level of compliance, the costs will vary. Small level 4 businesses could have their electronic network scanned by a professional vendor for as little as $60 a month.

For larger, level 3 businesses it will likely cost more. You likely have a larger network with more IP addresses. It could cost around $1,200 annually, but if your business is on the larger end of the level 3 range the costs could be higher.

Level 2 businesses should expect to pay between $10,000 and $15,000 a year for regular scans from approved vendors, while level 1 businesses will have to pay upwards of $50,000 a year.

My business has multiple locations, do each of these need to be PCI compliant?

It depends. If all your locations have the same tax ID, then you usually are only required to validate PCI compliance once a year for all of your firm’s locations.

However, if you are required to have network scans, you will need to have each location scanned by a PSI SSC approved vendor.

What are the penalties for not becoming PCI compliant?

PCI compliance standard

Depending on the severity of the non-compliance, your business could face anything from card replacement costs in the event of a security breach, to losing your merchant account and being banned from accepting card payments for several years.

Issuing banks and credit card processors can also be fined for non-compliance, many of which will pass the fine onto the individual merchant in the form of inflated transaction fees.

Aside from the official penalties, your business will be tarnished with a negative reputation for card security. Clients and customers will lose faith in your ability to protect them against fraud and this will harm your business. In such case, you will need to go the extra mile to see how you can restore customer’s loyalty.

Make yourself aware of what your business needs to do to become PCI compliant. Failure to do so could cause lasting damage to your business.

Emenike Emmanuel
Emenike Emmanuel is a multiple award-winning blogger, CEO of Entrepreneur Business Blog, Chief Evangelist of Ebusinessroom Ventures, and the Lead Coach of an online community of over 12,000 business owners called, The Excellent Entrepreneurs' Network. He’s here to help you start, manage and grow a profitable and sustainable business using digital marketing strategies. Follow him on Facebook, Twitter, Instagram, LinkedIn & Pinterest with this handle, @emenikeng. Telegram group - | Email: [email protected]

You may also like

1 Comment

  1. Hi Emenike,

    Thank you for this post on PCI compliance. I didn’t knew much about it until I landed up in your post. You have given detailed information which I am sure will be very helpful for new start up who are looking to process credit card payment.

    Thanks again for sharing this post. Have a good day. 🙂

Leave a reply

Your email address will not be published. Required fields are marked *