You may have heard the term PCI compliance while exploring how to accept patient debit and credit cards as a form of payment, but if you’re not entirely sure what PCI compliance entails, you’re not the only one.
Here are some frequently asked questions regarding PCI compliance, and how it impacts to your practice.
- What is PCI compliance? PCI is an acronym for “payment card industry.” PCI compliance refers to a set of standards that were created in 2006 by the Payment Card Industry Security Standards Council (PCI SSC), an independent body made up of representatives from the major brands in transaction processing, including Visa, MasterCard, American Express, Discover and JCB. The standards were devised to ensure that any organization that intermingles with sensitive payment information preserves the uppermost level of security throughout transaction processing.
- Is it illegal to not be PCI compliant? You are not legally required to be PCI compliant to process debit and credit card payments—but you expose your customers and business to ample risk if you’re not. In fact, your business could be subject to thousands of dollars in fines, fees and potentially lawsuits, according to PCIComplianceGuide.org (depending on the nature and harshness of the breach if you’re found not to be PCI compliant and a breach occurs).
- What is sensitive data? Sensitive data technically refers to a customer’s 16-digit account number (PAN, or personal account number), and/or a full PAN alongside a customer’s name, expiration date, service code; as well as the information on a card’s magnetic strip, PINs and security codes. All must be protected by a business to be PCI compliant, under the PCI SSC’s standards.
- What size does my business have to be to require PCI compliance? Any business that accepts credit or debit cards must be PCI compliant. As the experts at PCIComplianceGuide.org explain, breaches often impact small merchants and home-based businesses; hackers perceive them as the “path of least resistance” in terms of security.
With that said, PCI compliance assigns particular standards based on the size of transactions your business processes over twelve months. Many small- to medium-sized businesses fall into “Level 4,” which applies to merchants that process under 20,000 Visa e-commerce transactions in that time, or up to 1 million Visa transactions in any other sales channel.
- How do I verify that I’m PCI compliant? Whether you process most of your transactions using mobile payments, a third-party payment gateway to securely process online sales, or have a fixed or mobile point-of-sale terminal, it’s critical to confirm that you use only payment processors that guarantee PCI-compliant processing before, during and after the transaction. Additionally, PCI compliance outlines processes about how your staff handles payment data (for example, it should never be recorded on paper or sent in an email), and the security of your internal servers and networks.
PCI compliance also requires that you monitor payment processing devices and point-of-sale terminals to confirm that they have not been interfered with, and perform internal and external vulnerability scans, quarterly. According to the PCI SSC, these scans should also confirm that external connections—such as firewalls and internal network security, applications and portable computer devices — are secure and free of malware. You can hire approved scanning vendors (ASVs) to aid in the scan and validation process.
- Does PCI compliance mean I can’t use recurring billing? While the experts at PCIComplianceGuide.org do not encourage storing sensitive data, businesses that use a subscription-based model can be PCI compliant by ensuring they use appropriate encryption technologies to protect information used for the purpose of recurring billing. Small businesses can hire qualified security assessors (QSAs) to help confirm information is indeed protected.
Accepting credit and debit cards allows you to meet customers’ beliefs for how they can pay, but handling sensitive payment data comes with a high degree of responsibility and risk on the part of merchants. The more familiar you are with the ABCs of PCI compliance, the better equipped your business is to maintain the security you need to serve customers, and stay protected from the risk of a breach.