Breadcrumb

How and why your business should be PCI compliant

Written by

The GoCardless content team comprises a group of subject-matter experts in multiple fields from across GoCardless. The authors and reviewers work in the sales, marketing, legal, and finance departments. All have in-depth knowledge and experience in various aspects of payment scheme technology and the operating rules applicable to each. The team holds expertise in the well-established payment schemes such as UK Direct Debit, the European SEPA scheme, and the US ACH scheme, as well as in schemes operating in Scandinavia, Australia, and New Zealand. See full bio

Last editedJul 20212 min read

We live in a time where cyberattacks are infinitely more common than physical security breaches and that’s not going to change anytime soon. In such a landscape, businesses must ensure they are properly protected from malicious hackers, particularly when it comes to payment information. That’s where PCI compliance steps in.

What is PCI compliance?

PCI stands for “payment card industry” so if you are PCI compliant, that means your business meets the full regulatory requirements for processing payment information online. Collectively, those processes are known as the “data security standard” (or DSS), which is why you’ll often find companies asking “is PCI DSS compliance mandatory in the UK?” Which, of course, it is.

If you fail to meet these standards then you can incur PCI fines and penalties, bank sanctions and even lawsuits and prosecution in some extreme circumstances. It might be a set of rules rather than a law but if you don’t follow those rules, legal action could eventually be taken.

These standards were introduced to protect customers and businesses alike from hackers. And if your business meets these standards, it reveals you have taken the necessary steps to protect itself and your payment data from breaches and cyberattacks.

Do I need PCI compliance?

If your business processes or stores any kind of payment data then yes, you need to be PCI compliant. Given the rise in popularity of e-commerce in the last decade or so, that applies to the vast majority of companies, regardless of size. Once you’ve been validated, you must also revalidate your compliance annually and be prepared to face an audit if it’s suspected you might not be playing by the rules.

Even small businesses should pursue PCI compliance because all businesses are susceptible to fraud. Indeed, sometimes hackers might target smaller businesses because they perceive them as being less of a threat. Low reward, perhaps, but low risk too.

How to get PCI compliance

Being PCI certified is as simple as filling out a self-assessment form on the official PCI Security Standards Council website. You will be asked a different set of questions depending on your business sector, but if you find yourself answering “no” more often than “yes” then you’ll probably need to take further action before getting certified.

Once you have taken the necessary action and beefed up your security and authentication protocols, it’s then as simple as filling out a formal AOC (“attestation of compliance”) form with your credit card companies, which will give you everything you need to prove you’re above board. But before filling out those forms, you might need to make some changes to the way your business handles payment information.

PCI compliance requirements

There are several PCI compliance requirements to consider when setting up or auditing your online payment systems. Of course, there are different standards depending on the size of your company and how many transactions it processes.

There are four levels of standards relating to companies that process a high volume of payments (level 1 – over six million a year) and those that process very few (level 4 – under 20,000 a year). Those who have outsourced payment processing, meanwhile, are measured against another set of standards entirely.

Once you’ve discovered which level you fall into and what standards are required you will probably want to hire a specialist to help you set up your network security protocols. They can set up firewalls and authorisation protocols with robust passwords, often with multi-factor authentication.

Once your compliance efforts have been finalised, the work is not over. You’ll still need to regularly monitor and test networks and maintain a solid security policy. Just one lapse could be enough to open up your payment information for dangerous hackers.

We can help

If you’re interested in finding out more about PCI compliance, or any other aspect of your business finances, then get in touch with our financial experts at GoCardless. Find out how GoCardless can help you with ad hoc payments or recurring payments.