Don’t stand by, you must comply: the how and why of PCI
What's on this page?
PCI compliance. As a merchant accepting card payments (or thinking about it!), you’ve probably already heard the term a lot. And rightly so – it’s hugely important for protecting your customers’ data, and helping cut out fraud. But what does PCI mean, and how do you comply?
In this guide, we’re breaking down all you need to know about PCI compliance. What it is, how it relates to your business, and what the costs are for complying (or, if you’re feeling brave, not complying).
So read on, as we bust the jargon and answer your biggest PCI compliance questions. We’re also breaking down those pesky industry acronyms, starting with…
PCI – what does it stand for?
PCI is the quick way of saying PCI DSS, which stands for Payment Card Industry Data Security Standard. It’s an information security standard that all businesses that accept card payments must adhere to.
PCI is there not only to protect your customers’ information, but to help keep you safe, too. By staying PCI compliant, you help safeguard your business from data breaches and costly fraudulent transactions.
Does it apply to you?
If your business accepts any kind of card payment, you need to be PCI compliant. Do you use a PDQ machine to take face-to-face payments? A virtual terminal to do business over the phone? Or maybe a payment gateway for online transactions?
If you answered ‘yes’ to any of these, then yep – your business needs to be PCI DSS compliant. PCI standards also apply to:
- Electronic Point of Sale (EPOS) systems
- Paper-based records of payment card data
- Online shopping carts and payment applications
- Wireless access routers and store networks
There are four levels of PCI compliance. Find out which one your business belongs to below
PCI compliance levels
There are four levels of PCI compliance, and your business will have to comply to one of them. Which level you fall under is worked out based on a few factors, including:
- The size of your business
- The amount of card payments you take every year (volume)
- How you take these card payments (method)
If you take credit or debit cards with any of the PCI DSS credit card brands (Visa, Mastercard, American Express, JCB, and Discover), then you need to stay PCI compliant. What your requirements are – and the expected costs – can be found in the table below.
|Level||Who does it apply to?||Validation requirements||Cost of staying compliant|
|1||£50,000 + per year|
|2||£8,000 to £40,000 per year|
|3||£1,000 + per year|
|4||£60+ per month|
Which PCI compliance level are you?
PCI Level 1
Level 1 is for businesses that process more than 6 million payments a year, so it’s basically just for large companies. As you can imagine, this level of PCI compliance is the most expensive; it comes with extra hardware and software costs to meet the standard, plus the fees involved with training an internal auditor.
To comply, businesses must complete an annual self-assessment questionnaire, and face quarterly scans via a PCI-approved ASV.
PCI Level 2
Level 2 is for businesses processing between 1 million and 6 million payments a year. To comply, businesses must complete an annual self-assessment. They also get a quarterly ASV scan, plus an on-site assessment.
PCI Level 3
Level 3 refers to businesses that take between 20,000 and 1 million ecommerce payments annually. Level 3 compliance involves an annual self-assessment, as well as a quarterly ASV security scan.
PCI Level 4
Level 4 refers to businesses that process up to 20,000 payments a year via ecommerce, or up to 1 million payments via other channels.
How do I stay compliant?
Earning (and maintaining) PCI compliance can be an elaborate and time-consuming process. How easy it is to do also depends on your business’ size, sales volume, and the current technology you have in place for payment security.
Among other things, PCI compliance may involve:
- Completing annual self-assessment questionnaires
- Implementing security controls
- Hiring consultants to install hardware and anti-virus software
- Building a firewall to protect cardholder data
- Encrypting any cardholder data moving along public networks
- Restricting access to data
- Regularly monitoring and testing networks
- Maintaining an information security policy
All this can add up to a long list of costs. And that’s on top of what you’re already paying in merchant account fees. That’s the bad news.
The good news, though, is that many merchant account providers can handle your PCI compliance requirements for you. This usually comes with a fee, but some providers offer PCI compliance for free when you choose to take payments through them.
Let’s take a look at what you might expect to pay to stay compliant.
The cost of PCI compliance
The more card transactions you take, the more expensive it is to stay compliant. PCI compliance is much easier to manage for smaller businesses, and sometimes comes with no cost at all.
That’s right – some providers, including iZettle, Square, and Handepay, will handle your PCI compliance for free. Their systems already feature anti-fraud and encryption features, so you don’t have to worry about them.
Many other merchant account suppliers, though, will charge a fee for PCI compliance. Thankfully, it’s not massive, usually clocking in between £30 and £60 per year for small businesses. We recommend paying the fee that comes with PCI compliance. It’s just a few pounds a month, and it’ll help you avoid PCI non-compliance fees.
This table gives a quick example of what you might pay your merchant account provider to keep you PCI compliant.
PCI compliance fees
▶ Read more: Comparing merchant account fees
The cost of non-compliance
Non-compliance with PCI standards is bad news, and merchants that don’t comply face big fines. If your business doesn’t comply, your merchant bank could face a fine upwards of £3,000.
And, in true bank fashion, your bank would then pass this fine down until it reached (you guessed it!) your business. Which is… not fun.
Plus, non-compliance stands to hit you in more than just the wallet. Your bank could also choose to terminate your account, and your customers could lose faith in your ability to keep their card data safe. You could also face a potential forensic audit, and an investigation into your business.
The moral of the story? Stay compliant!
PCI DSS may not be the easiest thing to understand (or the easiest acronym to remember), but it can be easy to comply with.
If you currently take card payments, talk to your merchant account provider to make sure you’re PCI compliant. Make sure you know exactly what fees you’re paying (if any) to stay compliant, too.
If you’re not accepting card payments right now, you should be – and we can help. Just fill out our quote-finding form to get merchant account quotes from top suppliers. It’s free, takes less than a minute, and makes it easy for you to compare tailored quotes from providers that reflect the unique needs of your business.
What do you mean by ‘cardholder data’?
Cardholder data is the information relating to the credit or debit card your customer pays with. It refers specifically to the cardholder’s name, the card’s expiry date, and the three-digit security code on the back.
What is a PCI DSS Compliance Self-Assessment Questionnaire (SAQ)?
The SAQ is a checklist provided by the PCI Security Standards Council. You fill it in yourself, to see if you’re ticking all the boxes – kind of like a tax return, but for PCI compliance. It measures between 19 and 87 pages, and the length of time it takes to complete will depend on the size of your business and your sales volume (and the amount of coffee you’ve consumed, too!).
Do I need to fill one out?
This depends on which merchant account supplier you work with. If your PCI compliance is managed by your provider (either for free, or at a cost) then no, you’re fine. But if you’ve chosen to manage your own PCI compliance, you’ll need to fill out an SAQ every year.
What is an Approved Scan Vendor (ASV)?
The PCI DSS requires bigger businesses to run internal and external vulnerability scans of their systems. These scans provide important info that help identify and improve any weak areas in a company’s network.