Whether you’re a small business who has a growing web sales component or whether you’re a full-blown e-commerce site, you need the ability to accept credit cards. That means either a payment gateway service or a merchant account. A payment gateway is simpler to set up, but can also be much more expensive than processing your own credit cards via a merchant account.
Still, if you’re going to accept cards with a merchant account, there are some industry rules and standards you need to follow. One of the most important of these sets of standards is known as“PCI compliance.”
PCI Compliance is a must-have
Before we get into the nitty-gritty of PCI compliance, let’s consider some of the reasons you need to have it in place:
- The credit card industry requires it. PCI stands for “Payment Card Industry.” It’s a standard put in place by the credit card companies so that they can reduce fraud and provide their customers with secure shopping experiences. There’s no legal force behind the standard, however.
- If you don’t follow compliance rules, bad things happen. There are the immediate risks of not being PCI compliant, such as high fraud rates or chargebacks. However, if you violate your merchant account terms of service, you can face hefty penalties and fines. In some cases, these can shut down a business entirely.
- Your customers want it. More and more, customers are becoming savvy about what security measures websites can take. Some consumers are smart enough to only do business with sites that are visibly PCI compliant.
Your financial institution will check your site regularly to make sure you’re compliant, too.
OK, but what is it, exactly?
Now that you’re motivated to learn more, let’s talk a little bit about what PCI compliance is. Essentially, PCI compliance is a set of standards that cover six areas:
- Network security
- Cardholder data protection
- Vulnerability management
- Access Control
- Network monitoring and testing
- Information security policies
There are specific requirements in each of these categories that businesses need to meet if they’re going to be PCI-complaint.
Different PCI compliance levels
Not every business is created equal, however. If you’re a typical small or medium-sized business, you’re going to fall into the category of a Level 4 Merchant. At this level, you need to:
- Fill out some PCI compliance paperwork, including a Self-Assessment Questionnaire, an Attestation of Compliance, and other forms.
- Provide proof of a passing PCI vulnerability scan. On a quarterly basis, you need to have your site examined by a licensed third-party and checked for vulnerabilities.
- Make sure your merchant account provider has all of the above. It’s up to you to get all of the necessary paperwork to your merchant account holder, or you could be found out of compliance.
PCI compliance is a necessary part of doing business online. It not only protects your customers, it also protects your business from fraud and chargebacks, and from facing penalties from your credit card merchant account provider