Security, compliance, credit card fraud – this is the part of your retail business that is about as fun as cold water, but if you want to accept credit cards as a payment method, there are a few things you are required to comply with.
By now, you’ve probably heard of PCI Compliance. Some payment providers include that protection inside their plan (like we do), and others don’t. This means it’s up to the merchant to uphold their security standards themselves.
When a merchant isn’t properly educated on how to do that or doesn’t even know what PCI Compliance is to begin with, this opens the door to some potentially vulnerable situations when it comes to credit card fraud.
So, what is PCI Compliance? Why is it important? And how can you ensure you’re processing credit card transactions and collecting payment data securely? We’ve broken down the basics of what your business must do so you can quickly get back to focusing on what matters most – your customers.
What is PCI Compliance?
By definition, PCI (short for PCI DSS) Compliance, stands for Payment Card Industry Data Security Standard. It is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment to protect both the consumer and the merchant.
The PCI SSC (Payment Card Industry Security Standard Council) was founded by major card brands (like AMEX, MasterCard, Visa, JCB, and Discover) to develop and manage security in the payment card industry.
The PCI DSS outlines minimum requirements for:
- Policies and procedures
- Security management
- Network architecture
- Software devices
- Other critical protective measures
PCI DSS levels
The first step in becoming PCI compliant is understanding which level your business falls into. PCI levels define the required compliance of each merchant. These levels are:
- Any merchant processing more than 6 million MasterCard or Visa transactions per year, regardless of channel
- A merchant that has been a victim of a hack that resulted in data compromise
- Any merchant determined as level 1 by a card brand
- Any merchant processing 1 to 6 million MasterCard or Visa transactions per year
- Any merchant processing 20 thousand to 1 million MasterCard or Visa eCommerce transactions
- Any merchant regardless of acceptance channel (card present, card-not-present, etc.)
For American Express and Discover merchant levels please visit these websites:
Why does PCI DSS and security matter?
Have you ever had your personal credit card defrauded? It’s no fun. PCI standards are designed to help protect all participants in the card ecosystem from this very problem.
When theft or a breach of cardholder data occurs, cardholders lose trust in their financial institutions as well as the merchants with whom they do business. There is also the possibility of large negative financial impact for cardholders, merchants, and the organizations that facilitate payments. Ultimately, no one wins.
Looking for a payment provider?
Learn more about Lightspeed Payments
How can my business meet PCI standards?
In order to meet the PCI requirements, each merchant has to go through a series of steps.
Compliance validation for merchants from level 2, 3, and 4 is completed via a yearly Self-Assessment Questionnaire (SAQ). If applicable, quarterly network vulnerability scans may also be conducted by an approved scanning vendor (ASV).
Level 1 merchants must undergo a more rigorous compliance validation, while Levels 2, 3 and 4 merchants do not need to undergo external validation and are at the discretion of the acquiring bank.
Depending on a merchant’s classification or risk level (determined by the individual payment card brands and/or your PCI level), the steps to follow are::
- PCI DSS Scoping – determine which system components and networks are in scope for PCI DSS for your business.
- Assessing – examine the compliance of system components in scope following the testing procedures for each PCI DSS requirement (the relevant SAQ can be used as a guide).
- Reporting – assessor and/or entity submits required documentation (e.g. Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC), including documentation of all compensating controls.
- Clarifications – assessor and/or entity clarifies/updates report statements (if applicable) upon request of the acquiring bank or payment card brand.
Do I have to comply with PCI DSS?
Yes. Any merchant, regardless of volume or size of business, that accepts credit cards as a form of payment or processes, transmits or stores cardholder data must comply with all aspects of the PCI DSS standards. Even if you accept just one of these big 5 credit cards, this still applies.
In the event of a breach or hack, the merchant may be subject to the following:
- Fines from the card associations
- Forensic investigation
- Issuing banks may recoup re-issuing costs form the merchant (including possible fraud loss and fraud monitoring expenses)
- Government fines
- Brand and reputational damage
How does Lightspeed help your business achieve PCI Compliance?
Lightspeed is compliant with PCI DSS, which helps you streamline and validate your own state of compliance.
- We provide only PCI-compliant hardware and software and maintain a PCI-compliant platform.
- Lightspeed is the merchant on record for every transaction. We deal with the banks on your behalf.
- Lightspeed’s technical approach to security is designed to protect both you and your customers. We adhere to industry-leading PCI standards to manage our network, secure our web and client applications, and set policies across our organization. Lightspeed’s integrated payment system provides end-to-end encryption for every transaction and tokenizes data the second it reaches our servers.
Want to learn more about retail PCI Compliance?
For more detailed information, check out the PCI Security Standards website and each individual card brand compliance programs:
Do you know the difference between integrated and non-integrated payments?
Download our white paper on payment processing to find out