PCI Compliance for Small Business

When customers’ sensitive information is stolen during a data breach, the financial and resource costs to those buyers as well as to the retail merchants involved can be significant. In an effort to protect customer information during the payment transaction process, a consortium of the major credit card brands known as the Payment Card Industry Security Standards Council (PCISSC) developed a set of standards called the Payment Card Industry Data Security Standard (PCI DSS) that it also enforces. If you are a seller or service provider and accept electronic payments via credit cards from customers, it is incumbent upon you to learn about PCI compliance for small business.

The Importance Of Small Business PCI Compliance

Adherence to this set of PCI requirements is required. However, even if it were voluntary, following the guidelines is in your best interest. This is because cyber criminals often target micro merchants, preying on their complacency and their mistaken belief that they are too small to be a worthy victim.

Furthermore, businesses who fail to comply will pay a high financial price. For starters, your merchant account provider will charge you a noncompliance penalty each month until you have corrected the situation. If your failure to meet the standards leads to an actual security breach, your bank might be fined as much as $500,000 by the PCISSC, a fee that they are sure to pass right on to you. To make matters worse, you will be forced to jump through even more compliance hoops as a result of the breach, and that means an extra expenditure of time and resources that you cannot avoid.

PCI Compliance Levels

Since one size definitely does not fit all when it comes to businesses, the PCISSC has categorized them according to levels. Level one is for extremely large corporate entities and has the strictest compliance requirements. On the other end of the continuum is level four, which is for the smallest companies and has fewer and simpler standards to follow. If you process less than 20,000 e-commerce transactions annually or less than 1 million transactions from all sales channels per year, your business is considered to be a level four. 

However, should your noncompliance result in a data breach, you will most likely be moved to level one status, which involves the mandatory intercession of an outside auditor as well as additional fees. The bottom line is that it is much better to learn about and implement PCI compliance strategies so that you can avoid getting in trouble in the first place.


Since most entrepreneurs will own enterprises in the level four category, we will focus our attention there. When you are on the market for a payment processor, you should consider the following factors:

  • Data breach insurance. Having this type of policy can help to minimize the financial impact of a security incident. Some companies provide it as a built-in feature of your account; others offer it as an add-on. In some cases, you might even need to purchase it separately.
  • PCI processing fees. Your company will charge these to cover the cost of implementing compliance procedures.
  • PCI compliance mechanisms. These features are the nuts and bolts of how your vendor will adhere to the standards. They include things like PCI-compliant payment processing hardware (including a firewall for credit card processing, a PCI compliant card reader, the best router for PCI compliance, POS and mobile processing systems, payment gateways, virtual terminals, etc.); quarterly network vulnerability scans and assistance with completing and submitting a Self-Assessment Questionnaire (SAQ), and encryption and tokenization capabilities.

Whether you own a brick-and-mortar store or do all of your sales online, you need a vendor who is committed to remaining PCI-compliant. Without this dedication, the security and privacy of your payments could be in jeopardy.

PCI Compliance Best Practices For Small Business Owners PCI

Although adhering to this standard can appear daunting, it helps to know some of the top best practices that small businesses need to implement right away. They include the following:

  • Only use PIN transaction security equipment that is PCI-approved, including POS systems, countertop terminals, PIN pads and mobile processing solutions.
  • All software that you use for your POS and payment gateway should be PCI-approved.
  • Do not store customer data digitally on your website or server or physically (in writing). Modern resources such as tokenization give you a way to protect yourself from the dangers that come from holding this information, and you are PCI non-compliant if you possess it.
  • Use a properly configured network firewall for the purpose of securing your system.
  • Change all passwords from the defaults provided by the manufacturer. Using a weak password can put your entire system and the data it contains at risk.
  • Password protect your wireless router and enable all encryption capabilities.
  • Conduct a physical check and quarterly vulnerability scans to make sure that no malware or skimming programs have entered your cyber environment. This is the best way to learn about threats before they turn into outright breaches.
  • Give your staff tips for PCI compliance as well as red flags to keep an eye out for such as suspicious email attachments. Point out company protocols on mobile and data sharing that all staff are required to follow.

Non-compliance with PCI requirements often results in hefty financial and reputational penalties. No business owner needs to go through all of the angst and negative consequences that can result. If you comply, you will simplify your life, protect your brand and customers and support your business’s future.