PCI Compliance Checklist
One of the most important things you need to do when setting up your business to accept payment card transactions is ensure you have checked everything off your PCI compliance checklist.
It’s crucial, really!
Don’t have a PCI compliance checklist yet? You need to have one.
Whether it is an actual written list you refer to or simply following directives straight from your credit card processor or bank (or one of our dedicated PCI support reps) to make sure your business is up to speed, you need to have some sort of “target list” of tasks to ensure your business is 100% compliant.
Being PCI compliant applies to any business who accepts, stores, or transmits credit card data. So if you accept credit cards, debit cards, or any other payment form which involves your customers’ sensitive information, you need to be compliant with these standards.
How do you make sure you are compliant as a small-medium size business?
There are 4 different levels of compliance standards which have to be met depending on the size and scope of the business. The Payment Card Industry (PCI) puts every business who accepts card payments in one of those categories.
For the small-medium size businesses, the following is an example of what you should check to make sure you are compliant:
- Determine which Self-Assessment Questionnaire you need to fill out in order to help you understand what compliance standards your business is required to meet. There are forms available online to help you determine which SAQ you should use. (Or you can use one of our dedicated reps to walk you through it.)
- Once you’ve determined which SAQ applies to your business, follow the given instructions and fill out the questionnaire. (Easier when you have professional help. Pun intended.)
- If you use scanners in your place of business, you will have to conduct and collect proof of a vulnerability scan with a PCI SSV Approved Scanning Vendor. This doesn’t necessarily pertain to every merchant. You’ll need to find out what type of service provider you are and if those requirements apply to you (which RedFynn’s merchant services package helps you with free of charge).
- You must then submit an Attestation of Compliance form, which is included with the SAQ. Be sure you use the correct Attestation of Compliance form.
- Once you’ve done all of this, you must submit the Self-Assessment Questionnaire, the Attestation of Compliance form, the evidence (if applicable) of a passing scan test, as well as any other documentation requested to the acquiring bank or financial institution.
Being PCI compliant applies to nearly every business out there. As stated above, ANY business who collects, stores, or transmits customer’s data must be PCI compliant.
Maybe you accept a lot of credit card payments over the phone? If this is your business, yes, you are still responsible to meet PCI compliance standards.
You collect your customers’ information over the phone and transmit it to your processor to accept their payments. Ipso facto you must meet compliance standards.
The Payment Card Industry defines “cardholder data” as the PAN (Primary Account Number) as well as any of the following information: Credit card number, expiration date, or service code.
Sensitive Authentication Data must also be protected and it includes any information stored on the magnetic stripe on the card, CAV2, CVC2, CVV2, CID, PINS, PIN blocks, and more.
If your business collects any of this information, if it is used, or transmitted by your business, you must meet PCI compliance standards.
Maybe you own several different businesses in multiple locations? Yes, this also applies to all of those businesses (if they accept card payments). The only differences here is if all of those locations process transactions under the same Tax ID, you are usually only required to validate once a year for all your locations.
You must also pass quarterly network scans by an ASV (if applicable to your business). *See step 5 above.
Will your business be penalized for not meeting PCI compliance standards? Short answer, yes.
The payment companies (Visa, MasterCard, etc.) will levy fines against the bank or financial institution who processes your payments. Your bank or ISO (Independent Sales Organization) will pass whatever fees they receive down to your business.
In many cases, the bank or ISO you are using will terminate your account with them. Or they will increase the fees for processing your transactions.
Most small-medium size businesses cannot handle these fines. There are many businesses who are, quite literally, forced to shut their doors as a result of these huge fines.
What card payment types you are currently accepting fall under the category of needing to clear PCI compliance?
Well, any transaction with a card which has one of the major credit card company logos on it are included in that category. Credit cards, debit, and pre-paid cards with a credit card logo on them.
Maybe you use third-party payment processors and want to know “does PCI compliance still apply to me?” The answer is: yes.
It doesn’t matter whether you use a third-party processor or not. You are still required to meet PCI compliance standards.
You may not experience as much in the way of risk exposure and, as a result, might make it easier to validate your business’ compliance. But, you still must meet compliance standards. They must not be ignored.
We would hate for you to be faced with insurmountable fees because you failed to meet PCI compliance standards.
It’s hard enough as it is to stay in business with an ever-growing rise in competition and ever-shrinking pool of consumers without getting slammed with huge fines which could have easily been avoided.
The above information should hopefully help you when coming up with your PCI Compliance Checklist, and the questions posed are good questions to ask yourself.
We here at RedFynn Technologies have all of the information you need to answer all your PCI compliance questions and the friendliest staff in the industry!
Give us a call for more information! (888) 510-9871