Breadcrumb

PCI Compliance for Small Business

Written by

The GoCardless content team comprises a group of subject-matter experts in multiple fields from across GoCardless. The authors and reviewers work in the sales, marketing, legal, and finance departments. All have in-depth knowledge and experience in various aspects of payment scheme technology and the operating rules applicable to each. The team holds expertise in the well-established payment schemes such as UK Direct Debit, the European SEPA scheme, and the US ACH scheme, as well as in schemes operating in Scandinavia, Australia, and New Zealand. See full bio

Last editedNov 20212 min read

No matter the size of your business, you need to certify your PCI DSS (Payment Card Industry Data Security Standard) compliance every year. Otherwise, your business could run into trouble. PCI compliance for small business rules may seem strict, but they exist to help prevent the widespread hacking of customer data. Complying helps to ensure your business keeps running profitably, and that your customer’s data is safe. In this post, we’ll explain what’s meant by PCI DSS compliance for small business, how to ensure compliance, and what can happen if you fail to comply with the regulations.

Why is PCI compliance for small business important?

If you accept online credit and debit card payments, you are responsible for storing, processing, and transmitting cardholder data securely. The PCI Data Security Standard (overseen by the PCI Security Standards Council) provides merchants with a set of requirements they need to follow when it comes to detecting, preventing, and reacting to cardholder data security breaches. PCI compliance for small business is designed to protect both sellers and customers from the potentially harmful impact of breaches on their finances and reputation.

PCI compliance fines for small business breaches

While PCI DSS isn’t a law, noncompliance does breach the contracts between banks, merchants and payment brands, and there are consequences, including PCI compliance fines for small business breaches.

What can a lack of PCI compliance cost small business? Let’s take a look at some of the potential penalties:

Hefty fines enforced by regulators
A revocation of permission to take credit card payments
A mandatory forensic examination
Liability for fraud charges
Credit card replacement costs
Credit monitoring services for affected customers
PCI compliance reassessment

Achieving PCI compliance and small business

If you’re a small business, you probably won’t have the same resources as a larger firm, e.g. in-house compliance officers. That’s why achieving PCI compliance and small business isn’t always easy. Properly securing your systems and designing security policies so they’re compliant takes time and effort.

PCI compliance for small business requires that you:

Build and maintain secure systems and networks and install firewalls
Never rely on default system passwords from third parties
Encrypt cardholder data across open and public networks
Protect your systems against malware and keep anti-virus software updated
Restrict access to cardholder data to those who need to know
Use authentication measures to access systems
Track and monitor networks regularly
Maintain robust security policies that all staff are aware of

Depending on how many transactions you make each year, you’ll need to achieve a specific level of PCI compliance. If you’re a small company with less than 20,000 transactions, you’ll need to achieve Level 4. If you have 20,000 to a million transactions every year, you’ll need to achieve level 3.

Use a trusted payment provider to handle PCI compliance for small business

Some companies find that storing payment card data for subscriptions and recurring payments offers customers convenience. However, the task of handling that data comes at a cost. That’s why many smaller businesses set up direct debits to collect payments – also known as ACH Debits or bank debits. These have protections in place to ensure they’re safe payment methods for customers. Plus, using a trusted payments provider means your sensitive financial information is handled by an external organization.

PCI DSS compliance for small business keeps you and your customers safe

Staying compliant means you’re keeping your customer data safe, and PCI compliance for small business guidelines help you to do just that. When customers input their sensitive data on your website, they need to know you’ll keep it safe. Data breaches will not only destroy their trust in your company but threaten the survival of your business altogether, which is why adhering to PCI DSS requirements is so crucial.

We can help

GoCardless helps you automate payment collection, cutting down on the amount of admin your team needs to deal with when chasing invoices. Find out how GoCardless can help you with ad hoc payments or recurring payments.