Not Following PCI Compliance Could Be Costing You Thousands

Search

What is PCI Compliance?

PCI compliance (or PCI DSS) stands for Payment Card Industry Data Security Standard. While the name may be intimidating enough to make you avoid the topic all together, it’s a good idea to gain a basic understanding of your industry’s PCI. Adhering to it is part of protecting cardholder data as well as the financial information security of your business.

credit card security

PCI DSS Requirements are standards that were implemented by the five largest credit card companies (Visa, MasterCard, Discover, American Express, JCB) to help reduce costly consumer and bank data breaches. 

Around 2006 the role of technology in the workplace changed drastically as the Internet became a vital tool for success to businesses of all sizes. Companies began pushing their products online to increase revenues through various ecommerce platforms. 

However, as consumers grew more comfortable using credit cards through an online payment application, the liability of a data breach increased drastically because access to cardholder data was available on public networks. 

In response, the credit card companies formed the Payment Card Industry Security Standards Council and set the industry data security standard PCI DSS. These requirements allow for businesses to safely and securely accept, store, process, and transmit card information during a credit card transaction to prevent fraud and data breaches through a payment gateway. 

Is PCI compliance a law? 

The simple answer is no. While some states have laws that incorporate components of the PCI Data Security Standards, there is no Federal Law that requires you to do so.

Even though there is no Federal Law for a PCI data security standard pci, if your business accepts debit cards or credit card processing from any of the five PCI SSC cards branded above, then you must abide by PCI security standards. Ignoring to do so could result in fines from $5,000 to $100,00 per month to your acquiring bank. The banks will often charge this cost to the merchant account and can terminate contracts or increase fees for transactions in response to breaches and violations. 

Other penalties for noncompliance include an increased risk to the financial information of your business and customers as well as fraud losses, termination of the ability to accept credit cards, and even a decrease of sales as a result of lost confidence by customers. 

Who is responsible for PCI compliance? 

Each individual business is responsible for their PCI compliance. The PCI Security Standards Council created the PCI DSS Self-Assessment Questionnaire which is used for sellers to self-validate their compliance. 

A merchant processing over 6 million credit or debit card transactions annually (level 1 merchants) must have an onsite data security assessment by Qualified Security Assessors. However, it is not uncommon for Level 2 or Level 3 merchants to schedule audits because they’re just too big to become PCI compliant by themselves efficiently. 

For small merchants, these services may be paid for by their acquiring bank as part of their compliance program – or they may leave you to take care of it. Either way, it’s up to you to decide if you want a PCI DSS compliance audit. The audit could be done by external or internal security assessors and would ensure you have secure systems and applications. But, if your payment processing is less than 20,000 Visa or MasterCard transactions per year, it most likely doesn’t make sense to pay for an onsite audit. 

It is always a good idea to put your money towards internal security. As network resources are becoming an essential part of a collaborative work environment. But, this also means that company information is easier to access, thus more at risk of being stolen. To remain PCI DSS compliant, your company needs to put in place the proper internal controls on your systems and processes. 

How to Comply with PCI DSS

While there is no such thing as a “PCI certification” sellers, service providers, financial institutions, and organizations of all sizes need to prove that they are PCI compliant. 

The PCI Security Standards Council created the PCI DSS Self – Assessment Questionnaire, which is used for sellers to self-validate their compliance. Compliance requires this evaluation to be submitted each year. This document includes a series of yes or no questions for each applicable PCI Data Security Standard requirements.  

The payments security landscape is not just limited to cyber hackers. Many of these restrictions focus on the digital realm, leaving many business owners to overlook the risk of physical access to cardholder data. 

Your physical access to devices and systems that hold cardholder data should be restricted. Without any security, it’s easy for anyone to get a hold of sensitive data, even employees. 

With so many rules and stipulations, maintaining PCI compliance can be complicated. Many companies hire an Internal Security Assessor ISA sponsor company who are certified through the Council.

The employees of these organizations have undergone extensive training and can act as a resource library when it comes to PCI Data Security Standards, application security, and stored cardholder information. 

12 requirements for PCI compliance [show_more more=”Show More” less=”Show Less” color=”#888888″ align=”left”]

The 12 Requirements for PCI

  1. 1Install and maintain a firewall router configuration to protect cardholder data
  2. 2Do not use vendor-supplied defaults for system passwords and other security parameters
  3. 3Protect stored cardholder data
  4. 4Encrypt transmissions of cardholder data across open, public networks
  5. 5Use and regularly update anti-virus software or programs
  6. 6Develop and maintain secure systems and applications
  7. 7Restrict access to cardholder data by business need to know
  8. 8Assign a unique ID to each person with computer access
  9. 9Restrict physical access to cardholder data
  10. 10Track and monitor all access to network resources and cardholder data
  11. 11Regularly test security systems and processes
  12. 12Maintain a policy that addresses information security for all personnel

[/show_more]

What Level of PCI Compliance am I? 

While each payment card brand has its regulations for validation and reporting, they tend to follow a similar pattern of dividing entities into four pci compliance levels. 

Merchant levels are categorized by a combination of factors such as transaction volume within 12 months and security risk as seen in the below table. 

It is important to note that each payment card brand has their own PCI compliance programs. However, a business who accepts multiple brands is to follow Visa’s guidelines by default. All entities should contact their payment brands directly to learn about maintaining PCI compliance on their security systems and processes. 

Table showing PCI compliance requirements

Merchant Level Applicable to PCI Requirements

1

Merchants processing over 6 million transactions annually across all channels or Global merchants identifies as Level 1 Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA) – also commonly known as a Level 1 onsite assessment – or internal auditor if signed by officer of the company

Quarterly network scan by Approved Scan Vendor (ASV)

Evidence of Compliance form

2

1 to 6 million Visa transactions annually across all channels Complete the PCI DSS Self-Assessment Questionnaire according to the instructions is contains

Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV)

Complete the relevant Attestation of Compliance in its entirety (located in the SAQ tool)

Submit the SAQ, evidence of a passing scan (if applicable), and the Attestation of Compliance, along with any other requested documentation to your acquirer

3

Merchants handling 20,000 to 1 million eCommerce transactions per year Complete the PCI DSS Self-Assessment Questionnaire according to the instructions it contains

Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV)

Complete the relevant Attestation of Compliance in its entirety (located in the SAQ tool)

Submit the SAQ, evidence of a passing scan (if applicable), and the Attestation of Compliance, along with any other requested documentation to your acquirer

4

Merchants handling fewer than 20,000 eCommerce transactions per year and all other sellers that process up to 1M transactions per year Complete the PCI DSS Self-Assessment Questionnaire according to the instructions it contains.

Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV) 

Complete the relevant Attestation of Compliance in its entirety (located in the SAQ tool)

Submit the SAQ, evidence of a passing scan (if applicable), and the Attestation of Compliance, along with any other requested documentation, to your acquirer

How much does it cost to achieve PCI compliance?

Becoming and maintaining a PCI-compliant business can be expensive, depending on the type and size of your company and the compliance level to which you are held. 

LEVEL 4: If you store cardholder data electronically or are processing through systems and applications  with internet connectivity, then an Approved Scanning Vendor must complete a regular network or web site scan ,and your staff must complete a Self Assessment Questionnaire (or PCI SAQ) and Attestation of Compliance to ensure credit card data protection. This cost could be as low as $60 a month. 

LEVEL 3: Your costs will likely involve a regular network or web site by an Approved Scanning Vendor, plus the cost of completing the annual Self Assessment Questionnaire and Attestation of Compliance. Scans of the network or any web applications can are usually as low as $1,200 a year and will go up from there based on the size of your network and number of IP addresses.

LEVEL 2: Costs include a regular network vulnerability scan by an Approved Scan Vendor asv and increase based on the size of your network and number of IP addresses, plus the cost of completing the annual selfassessment questionnaires saqs and Attestation of Compliance. This is usually an all in cost of anywhere between $10,000 and $50,000 year and up. 

LEVEL 1: Your costs will involve a regular network vulnerability scan by an Approved Scanning Vendor asvs, an annual Report on Compliance by a Qualified Security Assessor and an Attestation of Compliance. You can expect this to cost upwards of $50,000 depending on your security systems antivirus software. 

12 Things You Should Ask Your Credit Card About PCI DSS Compliance

To sum it all up, PCI DSS standards applies to any company that stores, processes, or transmits cardholder data. Implementing PCI DSS protocol is a necessary step to your risk management. 

By complying with PCI DSS you can protect the privacy and security of sensitive card data. Protect yourself from losing sensitive data or paying noncompliance fees by staying regularly checking the PCI Security Standards Council website and being familiar with your industry’s PCI standards. 

  1. Are you PCI – Validated?
  2. How do I become PCI compliant with a credit card?
  3. What are your guidelines for PCI compliance?
  4. How do you assist with PCI compliance and fraud protection? 
  5. How can my business avoid non – compliance fees?
  6. Does your product/service store card information locally? 
  7. Does your product encrypt cardholder data before transmitting it?
  8. Can you tell me where cardholder data is stored in your system and how it is protected? 
  9. Do you offer any protection in the event of a data breach? 
  10. Will you assist with notifying my customers in the event of a data breach that is your product’s fault? 
  11. Does my business need to fill out a SAQ each year? 
  12. Will you alert me if PCI compliance regulations change?
Share the Post:

Download a Zero Fee Case Study

Learn more about how Zero Fee Processing has actually put money back in the pockets of a real-life business owner.

Related Posts

More and more CBD merchants want to offer their customers a way to pay for their CBD products with a credit card either in-store or [...]

The cannabis industry is starting to really take off in the United States. More and more states are making it legal to buy cannabis, CBD [...]

We get a lot of surprised business owners that call us when they find out they are considered high risk when they apply for a [...]

There seems to be fees for everything now-a-days, and when it comes to credit card processing, it doesn’t appear to be any different. In an [...]

Request A Call From A Dual Payments Representative

We know you’ve got questions. You could spend the day reading every word of our website, but you might find answers more quickly by just asking someone from our team. That’s what we’re here for!

Download a Zero Fee Case Study

Learn more about how Zero Fee Processing has actually put money back in the pockets of a real-life business owner.

Don't have time to read it all right now?​

Download your free PDF of “The Complete Guide to Credit Card Processing“. Just give us your email and we’ll send it to you right away!

Example of High Risk Merchants

  • 1-900 Phone companies – If you’re the type of company that charges people to have a chat on the phone, you’ll be considered high risk.
  • Adult Bookstores – Clearly a part of the adult entertainment industry, and an easy mark for the high risk tag.
  • Adult Entertainment – Any business labeled with the “adult” descriptor will automatically be assigned a high risk status.
  • Adult Toys – As “adult” is in the name, it’s an easy target for association with the adult entertainment market.
  • Airline Industry – Due to cancellations on high ticket purchases, this will put your airline company in the high risk category
  • Amazon Stores – By having a high rate of return, Amazon stores are seen as high risk.
  • Ammo Sales – Association with the weapons industry guarantees high risk status.
  • Annual Contracts – Any time an annual contract is involved it can be considered highrisk because most consumers forget they signed up and chance of chargeback can be high.
  • Antiques – With a high average ticket per item, antiques are considered a risky merchant type.
  • Astrology – The study of the celestial bodies and the influence on human affairs can be a chargeback target if customers feel like they aren’t getting the answers they want.
  • Auctions – Because of the nature of bidding on a product and not having a set price the risk level goes up.
  • Autographed Collectables – There is almost always a question as to whether an autograph is authentic, and therefore chargebacks are much higher in this industry.
  • Automotive Brokers – Brokers of automobiles have a very high average ticket are are therefore of higher risk.
  • Bankruptcy Attorneys – Since the people who are working with bankruptcy attorneys are usually in financial trouble, the odds that a payment would be charged back is higher.
  • Betting Services – In many states betting is illegal but for the legal states betting with a credit card has huge chargeback implications.
  • Brokering – When a third party is involved with selling a product the risk level goes up ten fold.
  • Business Loans (Merchant Cash Advances) – Loaning money is always risky, but with business loans and startup lending, high risk is present by the nature of the business.
  • Casino – Just like a betting service, if a customer gambles with their credit card the chargeback rate sky rockets.
  • CBD Products – CBD itself poses high chargebacks because of the legitimacy of the product and the health benefits promised.
  • CBD E commerce – CBD E Commerce has twice the charge back of retail CBD because many consumers don’t feel like the product they receive gives them the benefits promised.
  • Check Cashing (Check Processing) – The level of fraud in check cashing and cash advances is what gives this industry a higher risk consideration.
  • Cigarettes – With higher levels of risk for theft and criminal activity, cigarette sales are deemed high risk.
  • Collection Agencies (Collection Agency) – Many banks see collections as an unsustainable business model that is many times unreliable.
  • Collectible Coins – A higher level of chargeback in this industry gives it a high risk tag.
  • Collectible Currency – Due to the level of inauthentic collectibles, the risk of chargebacks are much higher with collectibles.
  • Copyrighted eBooks – When someone sells something copyrighted without permission many legal issues can arise.
  • Coupon Programs – With many coupon programs the coupons expire and once they expire the consumer wants the money back they spend.
  • Credit Counseling – Due to their clients usually being in financial problems, this industry is fraught with non-payment and fraud.
  • Credit Protection – Most people that need credit protection are bad with money so chargebacks abound.
  • Credit Repair – If a consumer needs credit repair then chances are they are a high risk for chargebacks.
  • Currency Sales – Many businesses that exchange currency do it at incorrect rates hence more chargebacks.
  • Dating Services – Dating is a volatile industry, and is also lumped in with the adult entertainment industry, making it a high risk account.
  • Debt Collection Services – As the collection of debt isn’t always possible, this industry retains the tag of risky.
  • Debt Consolidation Services (Debt Consolidators) – Consolidating debt is a challenging business and as debt is usually the problem, it’s seen as unsecure from a payment perspective.
  • Debt Repair Services – Since the clients of debt repair services are usually having financial challenges, it makes this industry seem a higher risk.
  • Discount Health Programs – Many people don’t feel they are really getting a discount so they try to get their money back and if they don’t the chargebacks sky rocket.
  • Discount Medical Care Programs – Just like the discount health programs if they don’t save the consumer wants their money back.
  • Drug Paraphernalia – Anything that is associated with the drug trade is considered high risk. Offshore merchant accounts are commonly used for this type of business.
  • E Commerce – As the source of the payment is unverifiable at the point of sale, any transaction without the card present has a higher risk of credit card fraud.
  • Ebay Stores – Many people sell items that aren’t as described so chargebacks can be an issue.
  • Electronic cigarettes – much like traditional cigarettes, e-cigarette sales are also deemed high risk.
  • Electronics – This industry has a much higher ticket compared with many other businesses. A chargeback for a $3,000 tv or two and your account can be in jeopardy rather quickly.
  • Escort Services – This is deemed a part of the adult entertainment industry and therefore needs a high risk merchant account and payment solution.
  • Event Ticket Brokers – If a customer buys a ticket and doesn’t use it they feel like they can charge the transaction back.
  • Extended Warranty Companies – Warranties are rarely used so people try to charge back the money that has been spent paying for them.
  • Federal Firearms License Dealers – Any organization associated with guns or firearms is automatically considered in this category.
  • Fantasy Sports Websites – Just like gambling, if a person starts to lose too often they try and charge back the transaction.
  • Finance Brokers – The entire financing industry is risky. By simply extending credit to other individuals, this business is betting that a majority of them will actually pay what they say they will.
  • Financial Advising/Consulting – The high risk tag on financial advisors isn’t about the advisors or their firm. It’s about the clientele and their current circumstances.
  • Financial Loan Modification Services – Due to a clientele in financial struggles, the high risk term is applied to any payments in this industry.
  • Financial Planning – Anything that includes risk for the consumer can have consumer implications with chargebacks.
  • Financial Strategy – Another risk and reward category, if money is lost, consumers try charging back making this a high risk industry.
  • Fortune Tellers – When a person doesn’t hear what they want to hear, or what is told doesn’t happen, the fortune teller can receive huge chargebacks.
  • Furniture Sellers – High risk only when its custom furniture.
  • Gambling – If money is lost the chargebacks rise.
  • Gaming – Chargeback levels skyrocket when consumers don’t win.
  • Get Rich Quick Programs – It’s rather common in this industry for an individual to purchase the training and then chargeback their purchase saying it didn’t deliver on what was promised.
  • Google Stores – With a high rate of return on their items, Google stores are considered high risk.
  • Gun Sales (Firearm Sales) – The gun and projectile industry is automatically associated with high risk credit card processing.
  • High Average Ticket Sales – With any high average ticket, just a couple of chargebacks can mean a massive shift in how risky the account is deemed by the processor.
  • Home/Vacation Rentals – Many issues with chargebacks can take place if the consumer decides not to travel.
  • Horoscopes – Many people believe this is hocum so will chargeback transactions.
  • How To Programs – A common practice in this industry is to purchase the program and charge it back with the description that it didn’t deliver what it promised.
  • Hypnotists – Many merchants will charge back these transactions if results they hoped for were not met.
  • Import/Export Business – Another example of taking goods over country borders which automatically brings in additional risk to any processing account.
  • Indirect Financial Consulting – When using a third party to consult, the high risk status gives the processor fraud protection.
  • International Cargo – Any time you introduce a multi-country element to credit card processing, the ability for fraud to be introduced skyrockets.
  • International Merchants operating in the US – Since the merchant isn’t operating from the United States, there are many unknowns about what is happening on the other side of their business, thus increasing the risk.
  • International Shipping – Transporting goods between countries is risky and introduces all sorts of elements to the financial stability of any transaction.
  • Investment Books – consumers get upset if the investor isn’t right which can lead to chargebacks.
  • Investment Firms – As investments are never a “sure thing” this is considered a risky industry for having a merchant account.
  • Investment Strategy – Anything with future promises can lead to chargeback.
  • Knife Sales – weapons of any kind are automatically given high risk status.
  • Kratom E Commerce – Accepting payments online is high risk, and Kratom is a substance in the health and wellness industry, which is also considered high risk.
  • Life Coaching – With no tangible goods involved in the transaction, life coaching is considered high risk.
  • Lingerie Businesses – Associated with the adult entertainment industry, chargebacks abound.
  • Lotteries – In most states you can buy lottery tickets with a credit card but if you’re allowed to and the ticket is not a winner, consumers try to chargeback the transactions.
  • Magazine Sales – Many magazine sales are recurring subscriptions, which can have issues with chargebacks.
  • Magazine Subscriptions – Same as magazine sales chargebacks can be huge when a recurring subscription happens. (often referred to as recurring billing.)
  • Mail Order Companies – When something is ordered through the mail chargeback risk can go up.
  • Marijuana Dispensaries – As marijuana isn’t a legal substance in every state, this is considered high risk due to the legality of the product. Cannabis credit card processing is available through Shift Processing.
  • Matchmaking Services – Another branch of the dating tree, and often associated with the adult entertainment industry.
  • Medical Devices – If a medical device doesn’t do what’s promised the purchaser may chargeback the transaction.
  • Membership Organizations – This is another instance of where the transactions don’t have any tangible product and are easily charged back to the merchant account.
  • Merchants on the MATCH list – If you are a merchant who has been reported to the MATCH list (Member Alert to Control High Risk Merchants) or the TMF (Terminated Merchant File) you are given high risk status.
  • Merchants with Poor Credit – Merchant accounts are given based on the credit score of the business owner. It’s assumed that the business owner is going to be making the financial decisions for the business, and a poor credit score reflects on the viability of any business transactions.
  • Modeling Agencies – At many agencies models are promised the world and it doesn’t happen. The consumer then wants their money back.
  • Movie Downloads – Transference of a digital product is considered of higher risk. Also, rarely is a physical card present at time of purchase.
  • Multilevel Marketing Sales – Often associated with pyramid schemes, MLM sales are considered a risky business.
  • Music Downloads – Purchasing any digital product is considered to be of higher risk than a physical transaction. Most of the time the card is not present in a digital transaction using a shopping cart.
  • Not A US Citizen Doing Business In The US – It’s possible to get a merchant account without a US social security number, but not having a SSN will increase the risk the processor will have in issuing a merchant account for your business.
  • Online Adult Membership Sites – If you’re running a website that is adult themed and requires payment for access, this is a highly volatile account and definitely high risk.
  • Offshore Corporations (Offshore Merchants) – The international element is what gives the high risk tag when looking for domestic merchant accounts.
  • Online Gambling (Online Gaming) – Without a card being present and gambling as the activity, there are two reasons why this would be on this list. Online payment alone is risky even without the gambling element.
  • Overseas Exporting Services – The introduction of the international element is what gains access to this list.
  • Pawn Shops – There’s a general stigma that goes along with pawn shops, and it’s reflected in their assignment to the high risk processors list.
  • Penny Auction Sites – Even though the customers are usually bidding at only a penny more per bid, users will commonly charge back the transaction when they don’t win.
  • Pepper Spray – Considered a type of weapon, pepper spray vendors are considered risky.
  • Points Programs – Points programs that cost money can cause chargeback issues if points are not used.
  • Pornographic Merchants – If you’re a part of the adult entertainment industry in any way, you’re considered high risk.
  • Precious Metals – Counterfeit metals can be a problem in this industry, making it more risky to accept payments for.
  • Prepaid Calling Cards – Anything prepaid that a consumer may not use increases chargeback issues.
  • Prepaid Debit Cards – When they expire or are lost consumers want their money back.
  • Psychic Services – “Honey, did you visit a psychic? No babe, I don’t remember visiting a psychic.” I’ll just reverse that charge then.
  • Real Estate – A common target for scams and identity theft is how real estate makes this list.
  • Replica Products (Watches, Handbags, Wallets, Sunglasses, Etc…) – As the product being sold isn’t authentic to the original manufacturer, the percentage of requests for refund is much higher than a traditional merchant.
  • Rewards Programs – If rewards are not spent, the consumer wants the money back.
  • Self-Defense – Since the payment provided is for instruction and not a physical product, the self-defense industry makes this list.
  • Self-Hypnosis Services – Yet another instance where the goods being transferred are of a service and not a physical product.
  • SEO Services – With a high rate of request for refund, SEO agencies make this list.
  • Social Networking Sites – Just like a dating site, if a consumer does not get what they want from it, they always like to chargeback.
  • Software Downloads – The software industry makes their way on to this list because of the digital nature of the goods being sold.
  • Sports Forecasting – An example of paying for information and not for a product, and usually not in person where the card would be present for the transaction.
  • Startups – Every startup is considered risky, and the percentage of startups that make it is quite small compared to the number that fail.
  • Student Loans – With the cost of a college education continually on the rise, so is the percentage of loans that default and never receive payment.
  • Strip Clubs – Associated with the adult entertainment industry gains the strip club access to this list.
  • Stun Gun Sales – considered a type of weapon, which makes it a high risk merchant.
  • Supplement Sales – The request for refund in this industry is quite high due to the nature of the product.
  • Sweepstakes – “Hey, I entered a sweepstake and I didn’t win. I’d like my money back please.”
  • Talent Agencies – “I paid thousands of dollars for headshots and glamorous outfits and I haven’t gotten any paid gigs. Pay me back my money please.”
  • Telemarketing Services – Telemarketing services many times do not have the results the purchaser would like to see, so the services are charged back.
  • Telephone Order Sales – Anything ordered over the phone has a increased risk of chargeback.
  • Timeshare Companies – When timeshares aren’t used, people want their money back.
  • Travel Agencies – If trips are not taken, consumers would like their funds returned.
  • Travel Clubs – Many travel club discounts aren’t what they were promised, increasing risk for chargebacks.
  • Vacation Rental Brokers – Third party brokers on prepaid vacation can have issues when customers cancel their trips.
  • Vape Shops – The level of criminal activity and theft is higher with vape shop merchants and therefore carries a high risk label.
  • Vitamin Sales – If the vitamins don’t provide the results the merchant would like to see they chargeback the transactions.
  • Web Designer – Because this service is prone to chargebacks, it has been classified as high risk.
  • Weight Loss – Considered risky because the results aren’t really up to the company, but rather the individual has to stick to the plan to get results, often resulting in chargebacks.
  • Yahoo Stores – Since the goods sold through Yahoo can easily be returned, they are considered a risky merchant.

Turn Your Residuals into Immediate Cash Today

Selling your residuals doesn’t impact your merchants—they’ll keep processing happily. So, if you need extra funds, explore a credit card residual buyout. It’s fast, easy, and a smart move for your financial game plan.