If You Accept Credit Cards, You Need To Be in Compliance
As payment processing becomes more sophisticated, so do cyber attacks. The Payment Card Industry Data Security Standard (PCI DSS) was created to protect sensitive consumer credit card data. If you accept credit cards (even one card transaction), you need to make sure you are compliant.
In addition, you need PCI compliance insurance through a cyber insurance policy to make sure you're covered in the event of any PCI fines or penalties, as PCI-compliant companies that accept credit card payments are still hacked in major data breaches. Since PCI compliance is a legal requirement, you could face significant fines or assessments if you are not compliant in protecting customer data.
What is PCI Insurance?
While PCI compliance insurance isn’t a stand-alone product, you can protect yourself with a cyber insurance policy. This type of policy provides coverage for both first and third-party claims related to a data breach, in addition to multi-media coverage, cyber extortion, and more.
Here, we’ve outlined the PCI compliance guidelines that small business owners need to know.
Understanding PCI Levels and What They Mean for Small Business
What does PCI compliance cover? There are four levels of PCI compliance to which companies need to adhere. Based on the credit card companies Visa and Mastercard, the levels are as follows:
- Level One: More than six million Visa/Mastercard transactions per year
- Level Two: Between one and six million transactions per year
- Level Three: Between 20,000 and one million eCommerce transactions per year
- Level Four: Fewer than 20,000 eCommerce transactions or up to one million storefront transactions per year
For small businesses, you most likely fall in the level four category, meaning you’ll need to complete the Annual Self-Assessment Questionnaire (SAQ), in addition to a possible quarterly network scan.
How to Complete the Annual Self-Assessment Questionnaire and Quarterly Network Scans
To complete the Annual SAQ, you will need a Payment Card Industry Data Security Standard Report on Compliance (PCI DSS ROC.) This is available on the PCI security standards website.
Your small businesses will also be required to complete a quarterly network scan. This scans for vulnerabilities with respect to receiving payments which must be completed by an Approved Scanning Vendor (ASV). You can find a searchable list of ASVs on the PCI website. We highly recommend Trustwave as they can simplify the entire compliance process for you with step-by-step instructions.
Recent PCI Changes for Small Businesses
Small businesses are a preferred target for cyber criminals and Visa announced new data security requirements for small merchants that went into effect in 2017, which are now part of the PCI compliance guidelines.
With these changes, level four merchants must use Qualified Integrators and Reseller (QIR) Professionals who have been PCI-certified. QIRs are professionals who are authorized to install, configure, and repair payment systems. You should be able to confirm that they use a QIR.
The PCI website offers the PCI Qualified Integrators and Resellers List to help find QIRs, searchable by region, individual name, company name, or certificate number.
Using a Third Party and PCI Compliance
For small businesses that outsource their payment processing, remaining PCI DSS compliant is still required, even for businesses that have fully outsourced all payment processing and do not store or transmit any cardholder data.
While using a third party does not exempt a company from PCI compliance, it can simplify the PCI compliance process. However, a third-party breach means you are still legally obligated to notify your clients and can still be held liable, which is why cyber insurance protection is so important. You can outsource the services, but not the liability.
Ready to take the first step in protecting your organizations' data? Our cyber security team at AlphaStaff is available to discuss your options and find the right coverage for your business. Please contact Kari Yuknus, our Product Manager, at (954) 267-1853 or firstname.lastname@example.org to learn more about our cyber insurance solutions.