Blog

PCI Compliance Can Still Be Tricky for Smaller Merchants

May 31, 2017

While many merchants, regardless of size, have made the switch to next-gen payment processing including EMV and mobile platforms, there are still plenty of holdouts.

 

Many merchants, regardless of size, have made the switch to next-gen payment processing including EMV and mobile platforms, but there are still plenty of holdouts. While companies may be on the fence about making the upgrade for any number of reasons, one of the most common that’s often cited is that smaller businesses are often concerned about their ability to comply with payment card industry standards on an ongoing basis.

PCI compliance is an important part of being able to handle payments securely, and small merchants that don’t know how to proceed on this front need to do as much research as possible, and potentially work with a point-of-sale reseller to ensure they meet all applicable requirements.

Data suggests that about 60 percent of all data breaches hit small and medium businesses, and with fraud liability shifting to merchants in a lot of these cases, the ability to keep a proactive security posture is vital to a company’s success, according to Total Retail. Companies that are not PCI compliant hit with a data breach could be on the hook for tens of thousands of dollars to remediate the problems that arise from such an incident.

PCI compliance is crucial for businesses of any size that accept card-based payments.PCI compliance is crucial for businesses of any size that accept card-based payments.

Potential Problems
Of course, the problem that many companies face is that they don’t know what PCI compliance entails, or even if they meet it in the first place, according to Radial. This can be especially common when companies have more than one decision-maker with compartmentalized roles. For instance, a recent poll of larger retail companies found that while more than 4 in 5 CIOs say their payment processing software is PCI compliant, just 69 percent of CEOs thought so. Likewise, a similar number of CIOs said they know their payment software includes encryption, while only half of CEOs responded the same way.

Familiarizing Businesses
In a lot of cases, even the term “PCI compliance” might be a little unfamiliar to some merchants, so it’s important for companies to understand what the requirements will be based on their unique situations, according to Shopkeep. For instance, the more transactions a company processes in a given year, the greater their compliance needs; for Level 1 companies – which process at least 6 million transactions annually – they need to go through a PCI audit every year to remain compliant.

However, most smaller merchants are going to fall into Level 4, as companies that handle fewer than a million card-based purchases each year. Businesses in Level 4 have to complete a questionnaire and attest that they are compliant each year, and potentially conduct a quarterly security scan of their network. And it’s up to each company to ensure they take on these efforts themselves on a regular basis.

In general, merchants should aim to continually assess their abilities to maintain strong security standards and ensure they are able to handle credit card transactions and maintain payment data as safely as possible. Doing so can not only be beneficial, but could help insulate businesses from significant financial risk.

Back To Blog