PCI Compliance 101
Let’s talk about everyone’s favorite topic: PCI compliance.
If you’re truly interested in learning about PCI compliance (although we’re not sure why you would be) you can check out the Official PCI Security Standards Council website here. If you’re like most people though, trust us when we say that your only real concern should be how to minimize your compliance burden and avoid dealing with it at all costs.
PCI, for those who don’t know — A.K.A. everyone who isn’t a payments nerd — stands for Payment Card Industry (simple enough, right?) The PCI Council oversees the Payment Card Industry Data Security Standard, or PCI DSS for short. The Council is made up of representatives from the major credit card brands (Visa, Mastercard, American Express and Discover) as well as JCB, a major debit card provider. They are considered an independent body (in the sense that they aren’t appointed or regulated by the government), and they set the rules, requirements, and regulations for what constitutes PCI compliance and what companies need to have in place in order to be compliant at various levels.
Most of it comes down to how you as a company process, store, and transmit sensitive data like credit card details through your system — be it a virtual terminal, a physical one, or a website. The bottom line: Any merchant or company that accepts credit cards has to be PCI compliant at some level.
Becoming PCI Compliant
For most businesses, it’s reasonably straightforward. The vast majority maintain their compliance through a Self-Assessment Questionnaire (SAQ) that can be completed online by answering anywhere from 25-100 simple questions. This applies mainly to businesses who accept credit cards for payment, but don’t store, process, or transmit any of the credit card information or data along the way. While there are several different versions of the SAQ that become larger and more strict depending on how much a business is involved in processing card data, for most merchants, as long as you’re not writing down credit card numbers on post-its and leaving them around your store or restaurant (please, please, don’t do that), you’ll be able to satisfy the requirements of your SAQ quickly and move on.
But, as a software company that’s building integrated payments into your products, what do you have to worry about in order to be PCI compliant? Like most things when it comes to payment processing, there’s a few different options.
With a managed PayFac provider like Stripe, they manage your PCI compliance for you. When integrating with Stripe, Square, or Braintree, they offer you a small piece of javascript (.js) code that developers place on your website or software. This code allows customers to enter their credit card data on a payments form that appears on your website, but in reality is hosted by the managed PayFac’s network. You as the software company, and your website, never touch the sensitive details.
While the options for where to place the piece of code as well as its branding are limited, it allows you to accept payments through your software without having to worry about safeguarding the information yourself. Instead, Stripe stores it on their system, and sends your software an encrypted token anytime you need to process a transaction. This minimizes your PCI compliance scope so that you only need to fill out an SAQ once a year — with the same simple requirements for your merchants.
However, as your business grows and you process more transactions each year, you may no longer qualify to use the SAQ. For many companies, when they get to this point they may start to consider becoming their own PayFac through PayFac-in-a-Box options. Once you become your own PayFac though, PCI obligations often become even more complicated, and you likely will have to become Level 1 PCI DSS certified.
In layman’s terms, that means your company will have to go through a time-consuming and expensive process, including documenting all your system’s structure and protections you have in place as well as an audit. During the audit, an onsite auditor will come to your business, look through your code, examine your security processes, and determine if you have appropriate checks and balances in your development.
None. Of. This. Is. Free.
In fact, audits can cost as much as $30,000 on average, and they must be completed each year, as well as any time you make changes to how you process credit cards. That doesn’t include additional costs for consultants to help you through the process, network scans, as well as the time and energy of your team. It can easily become a $50,000-$100,000 line item to maintain PCI Level 1 certification each year.
PCI Compliance Made Easy
We should know, because at Tilled we are PCI Level 1 Certified. And as a true partner for your payments processing, we’re always willing to transfer your credit card data to another Level 1 Certified Vault should you decide to switch to another processor or build one out yourself.
We’ll also never nickel and dime you over PCI compliance. While other processors love charging monthly fees to cover PCI compliance, as well as “gotcha” fees if you don’t fill out your SAQ on time (which they’ll never remind you to do), we don’t charge monthly PCI fees and will never play games about PCI compliance. Not only will we happily remind you each year what you need to do to remain PCI compliant, we’ll help you if you have any questions or concerns about your SAQ.
So, stop worrying about PCI compliance and let Tilled take care of the red tape.
