The acronym stands for Payment Card Industry Data Security Standard. These are standards for security policies, technologies and ongoing processes that protect the payment systems of our merchant clients from any breaches or theft of cardholder data.

These standards are overseen by the PCI Security Standards Council, which touches the lives of hundreds of millions of people worldwide. They are a global organization that maintains, evolves and promotes Payment Card Industry standards for the safety of cardholder data across the globe. The Council was founded in 2006 by American Express, Discover, JCB International, Mastercard and Visa Inc.  They share equally in ownership, governance, and execution of the Council’s work.

They serve anyone who works with and is associated with payment cards. This includes: merchants of all sizes, financial institutions, point-of-sale vendors, and hardware and software developers who create and operate the global infrastructure for processing payments.

There are two priorities for the PCI Security Standards Council’s work:

1. Helping merchants and financial institutions understand and implement standards for security policies, technologies and ongoing processes that protect their payment systems from breaches and theft of cardholder data.
2. Helping vendors understand and implement standards for creating secure payment solutions.

There are 12 basic requirements every business needs to meet. For more information on those, please see our Onboarding Guide.

Becoming (and remaining) PCI compliant carries a range of costs. What you can expect to pay depends on your merchant level, which is dependent on variables such as:

• The size, location, and nature of your organization
• The number of card-based transactions you process annually
• How you capture and process card-based payments (i.e., in-person or online)

There may be additional costs associated with employee training, which is voluntary for smaller organizations, but often required for larger ones. Upgrading magstripe POS terminals with more secure EMV-enabled readers also carries expenses. The same is true for eCommerce merchants that protect their visitors by adding Secure Sockets Layer (SSL) certificates to their sites. Of course, there are direct PCI compliance fees – normally calculated and charged by your payment processor.

These variables make it difficult to provide an exact “cost” for PCI compliance. However, smaller organizations can expect to pay $300 to $500 annually to become and remain compliant. By contrast, a multinational enterprise might need to spend $70,000 to $100,000 a year to remain in good standing.

• Your business will be regularly assessed against these security guidelines, so it’s best to understand how it can impact your day-to-day tasks and responsibilities.
• If you’re using a point-of-sale device (POS) that’s more than a few years old, chances are it’s not protecting you against potential threats in adherence to current security standards.
• One way to simplify your security is to start with a modern POS, specifically one that is PCI PTS (Payment Card Industry PIN Transaction Security) certified. Think of PTS certification like PCI compliance for payment terminals. POS providers like our partners at Clover provide payment terminals and can submit their machines for inspection and certification to make sure that a third party will not be able to access cardholder and PIN information.
• All Clover point-of-sale devices are PTS certified, taking much of the burden of PCI compliance off of busy merchants. One of the critical points of PTS certification is point-to-point encryption (P2PE). Having built-in P2PE, as merchants with current Clover POS systems do, will make the entire process of certifying PCI compliance much easier.

• PCI compliance is assessed in two ways:

Self-Assessment Questionnaires (SAQs) and;

Audits

• Generally, businesses are required to submit SAQs annually and are audited quarterly to ensure compliance.
• Answering a questionnaire once a year many not sound that complicated, but how your business is structured and the number of credit card transactions you process dictate which of the 8 different SAQs you will have to complete.

What might initially seem like a simple checklist of requirements can balloon into over 200 questions examining things like your networks, login systems, and data storage.

• Self-Assessment Questionnaire questions are difficult and often time-consuming to address. If you choose to work with a Clover POS system, you get to bypass most of them.
• The P2PE-certified hardware Clover builds includes multiple CPUs to protect data, even in the case of a virus being introduced to the system. Its high-level encryption protects customer information from the moment it is captured until it’s through the payment gateway.
• With this level of security built in, the PCI questionnaire merchants will have to complete is reduced to as few as five questions from 200 plus. Clover Security also offers add-ons, which allow you to access a team of people who will help you across the finish line to PCI compliance.

• Yes, in addition to your annual SAQ, you’ll also have to complete four system audits each year.
• If you are PCI compliant, these electronic audits will be much easier.
• If you use the services of Clover Security, you’ll get automated reminders to schedule and complete these audits as well as a guided questionnaire to complete your SAQ . That means you can spend more time running your business, and less time worrying about how to protect your payment data.

There are many ways you can end up non-compliant. Here are just a few:

1. Not filling out your annual SAQ (Self-Assessment Questionnaire)
2. Filling out your annual SAQ incompletely and/or inaccurately
3. Failing to complete quarterly network audits
4. Not taking recommended steps provided by PCI compliance experts
5. Sharing login information or usernames among employees
6. Using default passwords for any of your networks or equipment
7. Using a public WiFi for some of your transactions if you have a network issue, or are off-site