What is PCI Compliance?

What is PCI Compliance?

Security, compliance, credit card fraud – this is the part of your retail business that is about as fun as cold water, but if you want to accept credit cards as a payment method, there are a few things you are required to comply with.

By now, you’ve probably heard of PCI Compliance. Some payment providers include that protection inside their plan (like we do), and others don’t. This means it’s up to the merchant to uphold their security standards themselves.

When a merchant isn’t properly educated on how to do that or doesn’t even know what PCI Compliance is to begin with, this opens the door to some potentially vulnerable situations when it comes to credit card fraud.

So, what is PCI Compliance? Why is it important? And how can you ensure you’re processing credit card transactions and collecting payment data securely? We’ve broken down the basics of what your business must do so you can quickly get back to focusing on what matters most – your customers.

 

What is PCI Compliance?

By definition, PCI (short for PCI DSS) Compliance, stands for Payment Card Industry Data Security Standard. It is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment to protect both the consumer and the merchant.

The PCI SSC (Payment Card Industry Security Standard Council) was founded by major card brands (like AMEX, MasterCard, Visa, JCB, and Discover) to develop and manage security in the payment card industry.

The PCI DSS outlines minimum requirements for:

  1. Policies and procedures
  2. Security management
  3. Network architecture
  4. Software devices
  5. Other critical protective measures

Note 💳

Each individual card brand is responsible to uphold enforcement of these standards however they see fit.

What is PCI Compliance? | Lightspeed POS

PCI DSS levels

The first step in becoming PCI compliant is understanding which level your business falls into. PCI levels define the required compliance of each merchant. These levels are:

Level 1

  • Any merchant processing more than 6 million MasterCard or Visa transactions per year, regardless of channel
  • A merchant that has been a victim of a hack that resulted in data compromise
  • Any merchant determined as level 1 by a card brand

Level 2

  • Any merchant processing 1 to 6 million MasterCard or Visa transactions per year

Level 3

  • Any merchant processing 20 thousand to 1 million MasterCard or Visa eCommerce transactions

Level 4

  • Any merchant regardless of acceptance channel (card present, card-not-present, etc.)

Important 🔴

If your business falls within any of these four levels, we recommend you contact the PCI council to validate your compliance.

For American Express and Discover merchant levels please visit these websites:

 

Why does PCI DSS and security matter?

Have you ever had your personal credit card defrauded? It’s no fun. PCI standards are designed to help protect all participants in the card ecosystem from this very problem.

When theft or a breach of cardholder data occurs, cardholders lose trust in their financial institutions as well as the merchants with whom they do business. There is also the possibility of large negative financial impact for cardholders, merchants, and the organizations that facilitate payments. Ultimately, no one wins.

Important 🔴

Failure to comply with the PCI DSS regulations can result is some yearly unnecessary penalties and fees. This, however, is not the case if your payment service provider takes care of it for you and includes PCI Compliance in their offering.

Looking for a payment provider?

Learn more about Lightspeed Payments

What is PCI Compliance? | Lightspeed POS

 

How can my business meet PCI standards?

In order to meet the PCI requirements, each merchant has to go through a series of steps.

Compliance validation for merchants from level 2, 3, and 4 is completed via a yearly Self-Assessment Questionnaire (SAQ).  If applicable, quarterly network vulnerability scans may also be conducted by an approved scanning vendor (ASV).

Level 1 merchants must undergo a more rigorous compliance validation, while Levels 2, 3 and 4 merchants do not need to undergo external validation and are at the discretion of the acquiring bank.

Note 📝

Make sure to always keep all validation documentation readily available.

Depending on a merchant’s classification or risk level (determined by the individual payment card brands and/or your PCI level), the steps to follow are::

  1. PCI DSS Scoping – determine which system components and networks are in scope for PCI DSS for your business.
  2. Assessing – examine the compliance of system components in scope following the testing procedures for each PCI DSS requirement (the relevant SAQ can be used as a guide).
  3. Reporting – assessor and/or entity submits required documentation (e.g. Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC), including documentation of all compensating controls.
  4. Clarifications – assessor and/or entity clarifies/updates report statements (if applicable) upon request of the acquiring bank or payment card brand.

Important 🔴

If you are a Lightspeed Payments customer, you do not need to complete an SAQ. All Lightspeed Payments hardware and software are already PCI Level 1 certified.

 

Do I have to comply with PCI DSS?

Yes. Any merchant, regardless of volume or size of business, that accepts credit cards as a form of payment or processes, transmits or stores cardholder data must comply with all aspects of the PCI DSS standards. Even if you accept just one of these big 5 credit cards, this still applies.

Note 📝

Lightspeed Payments users don’t have to worry about this because our experts take care of it on their behalf. However, it is still crucial for every merchant to understand why PCI DSS is so important.

In the event of a breach or hack, the merchant may be subject to the following:

  • Fines from the card associations
  • Forensic investigation
  • Issuing banks may recoup re-issuing costs form the merchant (including possible fraud loss and fraud monitoring expenses)
  • Litigation
  • Government fines
  • Brand and reputational damage

Lightspeed Payments launches for US merchants | Lightspeed POS

 

How does Lightspeed help your business achieve PCI Compliance?

Lightspeed is compliant with PCI DSS, which helps you streamline and validate your own state of compliance.

  1. We provide only PCI-compliant hardware and software and maintain a PCI-compliant platform.
  2. Lightspeed is the merchant on record for every transaction. We deal with the banks on your behalf.
  3. Lightspeed’s technical approach to security is designed to protect both you and your customers. We adhere to industry-leading PCI standards to manage our network, secure our web and client applications, and set policies across our organization. Lightspeed’s integrated payment system provides end-to-end encryption for every transaction and tokenizes data the second it reaches our servers.

Important 🔴

As stated above, Lightspeed Payments systems and hardware are compliant. However, your in-store compliance as a business remains your responsibility. For more information, please contact Lightspeed Support.

Want to learn more about retail PCI Compliance?

For more detailed information, check out the PCI Security Standards website and each individual card brand compliance programs:

Do you know the difference between integrated and non-integrated payments?

Download our white paper on payment processing to find out

5 Retail Reports You Need To Run Before The Holidays

5 Retail Reports You Need To Run Before The Holidays

How to Stay Organized as an Entrepreneur

How to Stay Organized as an Entrepreneur