Payment card industry (PCI) compliance is very important to any business. Ensuring the security of consumer’s cardholder data is principal to help you avoid any issues  If you fail to comply with regulations set by the PCI, it can lead to hefty fines for you and your business costing your business time, money, and undue hassle. Learn more about PCI DSS Compliance and see how Liquid Cash can protect you- for free.

Intro to PCI Compliance

When it comes to running your business, the safety and security of you and your customers’ sensitive information and data should be a priority—especially when it comes to their financial information. Because the world of commerce and payments technology are constantly changing, these changes are often accompanied by new rules and regulations to help ensure that both businesses and consumers are protected. 

The Payment Card Industry Data Security Standard (PCI DSS), is a standard of requirements put forth by the five largest credit card companies that help reduce costly consumer and bank data breaches. It was created to guarantee that all companies that process, store, or transmit credit card information are keeping the information in a secure environment. Ensuring PCI DSS compliance can be a daunting task for business decision makers. In this guide, we break down the need-to-knows of PCI DSS compliance and take you through the steps you need to safeguard your business and customers.

Six Frequently Asked Questions About PCI Compliance

What is the PCI DSS?

PCI DSS stands for Payment Card Industry Data Security Standard. This standard sets the requirements for organizations and sellers to safely and securely accept, hold, process, and transmit cardholder information when consumers use their card to stop fraud and data breaches.

How much does it cost to be PCI DSS compliant?

The fees to become PCI compliant, and then keeping that standing can range from approximately $1,000 to over $50,000 annually. But this fee depends on the size of your business.

Who needs to have a PCI DSS compliance certification?

PCI certification doesn’t exist! However, any merchants, service providers, banks, and any other organizations that process credit card payments have to be able to prove that they are PCI compliant.

What are the PCI DSS compliance levels?

There are four levels of PCI compliance; each level has different requirements for a merchant to certify its compliance. The level that your business would fall under is based on your annual total transaction volume.

Am I responsible for a PCI DSS Compliance Self-Assessment Questionnaire (SAQ)?

The PCI DSS Self-Assessment Questionnaire is a checklist ranging from 19 to 87 pages. This checklist was created and distributed by the PCI Security Standards Council. It can be used as a tool for sellers to self-validate their PCI DSS compliance. Liquid Cash does not require sellers to complete an SAQ, or to self-validate, since Liquid Cash’s iCheckout 360 hardware and software maintains compliance with the Payment Card Industry Data Security Standard (PCI DSS).

Are there PCI noncompliance fees?

Yes, normally there are fees when it comes to PCI noncompliance. If your business does not comply with PCI standards, you could be at risk for data breaches. You can also be at risk for hefty fines that include card replacement costs, costly forensic audits and investigations into your business, and even more.

DEEP DIVE

PCI Compliance: A Deep Dive

Whether or not you’re a Liquid Cash merchant, it’s still a good idea to understand PCI compliance, since maintaining it is integral to protecting the safety of your customers’ financial data and your business.

PCI COMPLIANCE CHECKLIST FOR 2019

*This PCI compliance checklist was written in July 2018 and may not contain new steps, so ensure you’re compliant by selling with Liquid Cash or by visiting the PCI Security Standards Council website.

Understanding the history of the Payment Card Industry Data Security Standard

The Payment Card Industry Data Security Standard (PCI DSS) started in 2006, when the Internet was noted as a mandatory and valuable asset for businesses of all sizes. As the Internet era began to reach more and more consumers, companies that chose to utilize its power began bringing the systems they used to process payments online. This allowed them to connect wirelessly to their physical and virtual terminals. At the same time, consumers became more at ease with using credit cards to make transactions offline and now online.

Due to all the new avenues of commerce and consumers learning at similar rates as businesses on how to use the technology, the chances for criminals to steal credit card information from unsecured networks and payment systems became more common.

In response to increasing data breaches, in 2004  the five largest credit card brands—Visa, MasterCard, Discover, American Express, JCB—united to implement the Payment Card Industry Data Security Standard (PCI DSS) to help regulate and prevent the expensive consumer and bank data breaches. In 2021 alone, data breach costs were estimated to be around $4.24 million. This emphasizes the significant cost data breaches can bring. 

Eventually, the PCI Security Standards Council formed and PCI compliance became a priority for businesses to regulate the security of the credit card payment industry.

The PCI Security Standards Council was also initiated as an independent body, meant to “monitor threats and improve the industry’s means of dealing with them, through enhancements to PCI Security Standards and by the training of security professionals.” The Council is responsible for setting and establishing the standards for merchants to adhere to, like  PCI-compliant applications and self-assessment questionnaires (SAQs) or checklists. It’s important to remember that the credit card companies made PCI compliance a self-regulated requirement. This means that they no longer accept liability of maintaining compliance for any part of the payment processing system and they pass this responsibility on to merchants and organizations.

It’s also important to remember that oftentimes credit cards are safe.  Because of the new rules and standards surrounding them, like EMV chip cards, cards are becoming even more secure. However, even the most notable brands can be at risk for large data leaks involving credit cards. By maintaining PCI compliance, you can help defend your business against criminals who are able to get sensitive cardholder information and use it to mimic the cardholder or steal their identity.

What is PCI DSS compliance?

The Payment Card Industry Data Security Standard (PCI DSS) refers to payment security requirements that ensure all merchants are securely storing, processing, and transmitting cardholder data during a credit card transaction.

Any business with a merchant ID that accepts payment cards have to follow PCI-compliance standards to protect their consumers against data breaches. These standards  are mentioned in the PCI compliance checklist above, range from establishing and maintaining data security regulations for your business and it also includes instructing employees on how to remove card data from your processing system and payment terminals.

“Cardholder” or payment data covers information such as the full primary account number (PAN), the cardholder’s name, and the credit card service code and expiration date. Sellers are also responsible for protecting sensitive authentication data in the magnetic-stripe data (e.g., CAV2, CVC2, CVV2, CID, PINs, PIN blocks, and more).

The credit card diagram above shows where sensitive cardholder data is listed on a credit card. Those that collect, process, store, or transmit payment card transactions must complete and maintain the strict processes of maintaining PCI compliance. Note that those entities involved with payment card transactions can never save sensitive authentication data after authorization. This includes the 3 or 4 digit security code printed on the front or back of a card (CVV), the data stored on a card’s magnetic stripe or chip (also called “Full track data”), or personal identification numbers (PIN) entered by the cardholder.

PCI standards apply to many financial systems such as:

• Point-of-sale systems
• Store networks and wireless access routers
• Card readers
• Payment card data stored in paper-based records
• Online payment applications and shopping carts
• Payment card data storage and transmission

Becoming PCI compliant and maintaining that compliance can be a rigorous process; it can involve hiring an expensive third-party consultant to install costly software and hardware, enforcing new security controls, and even agreeing to a contract that makes you agree to the bank’s terms for annual PCI compliance, completing annual self-assessments(which are often not in your best interest), and more.

Please refer to the PCI Small Merchant Guide to Safe Payments to get more information about how you can better protect payment card data and your business..

What are the PCI compliance levels and requirements?

If your business takes payment cards with any of the five members of the PCI SSC credit card brands (American Express, Discover, JCB, MasterCard, and Visa), then you are required to be PCI compliant, which is determined by your annual transaction volume. For example, sellers with a higher volume of transactions are mandated to work with internal security assessors (ISAs), qualified security assessors (QSAs), and PCI-approved scan vendors (ASVs).

There are four different levels of compliance which establish the requirements that sellers are responsible for maintaining. The PCI Council regards a business as “in compliance” by meeting 100% of the criteria. Because of this complex responsibility, many large businesses work with a PCI-compliance consultant on requirements and how to meet these PCI-compliant level standards. While each credit card brand has its own slightly different criteria, generally the PCI-compliance levels are as follows*:

PCI compliance levels

2) Any merchant that has had a data breach or attack that resulted in an account data compromise

Quarterly network scan by Approved Scan Vendor (ASV)

Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV)

Complete the relevant Attestation of Compliance in its entirety (located in the SAQ tool)

Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV)

Complete the relevant Attestation of Compliance in its entirety (located in the SAQ tool)

Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV)

Complete the relevant Attestation of Compliance in its entirety (located in the SAQ tool)

*Each of the five payment brands has its own data security programs that require merchants to safeguard credit card processing data. Here’s a helpful example of Visa’s PCI DSS requirements.

What are the consequences for noncompliance?

If you aren’t aware of all the rules around PCI compliance or the punishment for being noncompliant, you’re not alone.

Even though PCI compliance is not a law, that doesn’t take the burden away from your business. According to the Identity Theft Resource Center’s 2021 Data Breach Report, there were 1,862 data breaches last year, which is higher than both 2020’s total of 1,108 and the previous record of 1,506 set in 2017. This emphasizes the importance of ensuring that your payment processing life cycle is secure.

If your business is not compliant with PCI standards, you could be at risk for data breaches, fines, card replacement costs, costly forensic audits and investigations into your business, brand damage, and more if a breach occurs.

In fact, a study was done that illustrated that approximately 30% percent of small businesses report that they don’t know the penalties for noncompliance with PCI DSS 3.0.

Penalties are not highly publicized, but they can be horrific for businesses. For example, if your company violates PCI-compliance standards, credit card brands can charge fines from $5,000- $100,000 per month to your acquiring bank. The banks often deny liability and these fees are now the merchants responsibility. Even after being charged the fee, banks can terminate contracts or charge higher fees for transactions after reports of your company’s breaches and violations.

Disregarding the financial cost, there are also even greater potential liabilities that could affect your business. According to PCI Security Standards, failing to comply with PCI standards and resulting data breaches could result in:

• Lost confidence, so customers go to other merchants
• Diminished sales
• Cost of reissuing new payment cards
• Fraud losses
• Higher subsequent costs of compliance
• Legal costs, settlements, and judgments
• Fines and penalties
• Termination of ability to accept payment cards
• Lost jobs (CISO, CIO, CEO, and dependent professional positions)
• Going out of business

What does it cost to be PCI compliant?

Becoming and maintaining a PCI-compliant business can be costly, depending on the type and size of your company and the compliance level to which you are held.

By level, the costs typically range from:

Level 4: $60 to $75 per month and up

Costs include an Approved Scanning Vendor (ASV), who should complete a regular network or website scan, and completion of a Self-Assessment Questionnaire (SAQ) and Attestation of Compliance by you or your staff.

Level 3: $1,200 a year and up

Costs include regular scans by ASVs and increase based on the size of your computer network and number of IP addresses, plus the cost of completing the annual Self-Assessment Questionnaire and Attestation of Compliance.

Level 2: $10,000 a year and up

Costs include regular scans by ASVs and increase based on the size of your computer network and number of IP addresses, plus the cost of completing the annual Self-Assessment Questionnaire and Attestation of Compliance.

Level 1: $50,000 a year and up

Costs include a regular network scan by an Approved Scanning Vendor, an annual Report on Compliance by a Qualified Security Assessor, and an Attestation of Compliance.

Watch out for predatory service providers that charge expensive fees but only satisfy a portion of your PCI requirements.

Liquid Cash ensure your business has PCI compliance 

Liquid Cash complies with the Payment Card Industry Data Security Standard (PCI DSS) so you don’t have to validate your state of compliance.

1. Liquid Cash’s software uses a simple setup with no configuration required and at no additional cost includes end-to-end encryption. We maintain PCI compliant software at no additional cost to you, with no monthly contracts or long-term commitments. For businesses that use Liquid Cash for storage, processing, and transmission of their customers’ card data, they don’t need to take any additional steps to validate their PCI compliance to Liquid Cash, and there’s no PCI-compliance fees.
2. Liquid Cash is the merchant of record for every transaction. We help our users by dealing with the banks on their behalf including PCI compliance, regulation, and processing. We are their number one advocates in making sure that simple errors, honest mistakes, and disputes are resolved equitably.
3. Liquid Cash’s technological approach to security is designed to protect both the user and their customers. We adhere to industry-leading PCI standards to manage our network, secure our web and client applications, and set policies across our organization. Liquid Cash’s integrated payment system provides end-to-end encryption for every transaction at the point of swipe, dip, or tap and tokenizes data once it reaches our servers. Plus, with our cutting edge technology we are able to monitor every transaction from acceptance to payment. We are always innovating new methods in fraud prevention to protect our user’s data like our business depends on it—because it does.