What Is PCI Compliance and What Does It Mean for My Business?

Learn about PCI compliance fees and the Payment Card Industry Data Security Standards. Discover what they are, how they vary, and how Swipesum helps you stay compliant at no cost. Protect your business and avoid penalties.

Rounding it up

  • PCI compliance varies on levels, or the number of transactions you process in a year.
  • There are 12 requirements to compliance and most businesses will perform a security scan, fill out some forms and sign an attestation.
  • Larger businesses may have to have third-party security scanners come on site to audit the network.
  • PCI compliance isn’t overwhelmingly expensive, but it can be if you don’t do it right. Merchants often their PCI status, or perhaps putting it on the backburner. Over time, this risks being shut down by a processor for not being PCI compliant!

As a business owner, you’re assuredly concerned with your security. If you’ve got brick-and-mortar stores, you want to ensure that goods are locked, the store has trustworthy employees and you’ve got the processes in place that employees can easily follow to keep your store secure. You’ve also got electronics policies that help ensure your point-of-sale and other systems are secure. What are you doing, however, to keep your customers’ information protected against hackers and thieves?

That’s what PCI - or Payment Card Industry - compliance is all about. While not technically required by law, PCI compliance is a crucial way that customers, other businesses and your banking partners know that you’re handling information securely. Here, we’ll look at what PCI compliance is, what it can do for you and why being compliant is such a good idea.

Curious about PCI compliance? Swipesum provides information on PCI in account approval emails, during onboarding, and after onboarding. We provide links and information for video tutorials that lead you through the questionnaires to get compliant. Book a free consultation today.

What is PCI?

PCI stands for Payment Card Industry and compliance with it means that your business has achieved and continues to follow the Payment Card Industry Data Security Standards. In the simplest terms, PCI are a series of standards that establish what a merchant or business needs to do to ensure they’re handling credit card information appropriately. By completing the Data Security Standards Process, businesses are proclaimed to be PCI compliant. So what does that actually mean?

What are the Steps to Ensure PCI Compliance?

There are 12 major steps to ensure PCI compliance. 

  1. Implement firewalls to protect data
  2. Appropriate password protection (such as 2FA)
  3. Protect cardholder data
  4. Encryption of transmitted cardholder data
  5. Utilize antivirus and anti-malware software
  6. Update software and maintain security systems on a regular basis
  7. Restrict access to cardholder data
  8. Unique IDs assigned to those with access to data
  9. Restrict physical access to data storage
  10. Create and monitor access logs
  11. Test security systems on a regular basis
  12. Create a policy that is documented and that can be followed

The policy boils down to a series of fairly simple security measures that any card processor or business handling payment card information should be able to easily follow. The goal of the requirements is to protect customer data and the requirements are meant to be adopted broadly.

Why do card companies care?

Payment card companies care a great deal about ensuring merchants are handling information securely - but why? Two main reasons. First, credit card companies are generally on the hook for covering fraudulent charges that are on their customers’ accounts. In fact, it’s become a staple of most credit cards and one of the many reasons it can sometimes be smarter for customers to use credit instead of debit. The second reason is that they want to keep their customers happy broadly and so should you!

What Are PCI Compliance Fees and Charges?

PCI Compliance is essential for any business accepting cards or handling credit card data, and while it protects customer information, it often comes with associated fees. Here's a breakdown of what to expect:

PCI Compliance Fees

Many payment processors charge PCI Compliance Fees, each provider has different pricing as they mark up their actual costs. This fee is to help businesses meet the Payment Card Industry Data Security Standard (PCI DSS). These fees can vary widely:
- Worldpay charges monthly fees starting at $30.00 per month.
- Elavon charges $74.99 per month.

These fees may be included in your overall processing costs or appear as a separate line item on your invoice. Swipesum, however, offers PCI compliance support at no additional cost, helping merchants avoid these fees.

Non-Compliance Fees

If your business isn't PCI compliant, you might face Non-Compliance Fees, ranging from $10 to $100 per month. These penalties encourage businesses to achieve compliance quickly.

Additional Compliance Costs

Other potential costs include:
- SAQ (Self-Assessment Questionnaire): $0 to $200
- Vulnerability Scanning: $100 to $200 per IP address
- Employee PCI Training: $70 per employee
- Remediation: $100 to $10,000 depending on the work needed

Total Cost of PCI Compliance

Depending on your business size, PCI compliance can range from $1,000 to $50,000+ annually, with large enterprises potentially paying much more.

Swipesum's PCI Advantage

Swipesum simplifies PCI compliance by offering these services at no extra charge, helping businesses stay compliant without added costs. Investing in PCI compliance is crucial to avoid penalties and protect your business from data breaches.

How do I get PCI compliant?

Generally, your merchant account provider will offer PCI compliance services. There is likely a fee for this service but it can take some of the headache out of managing things yourself. Additionally, you can hire consultants to assist you with PCI compliance. You can also do it yourself, at no cost. All you have to do for PCI compliance is complete and file a self-assessment questionnaire each year along with records of the scans that are required of your payment network. There may be some additional paperwork required but it should all be relatively straightforward for businesses to complete. 

You’ll then sign an attestation form that you agree to remain compliant and that’s it! You’ll get a nice certificate. For most small businesses, this is sufficient and as long as you continue meeting requirements, you won’t have any issues. If you’re a larger business and fall into a higher “compliance level,” you may have to submit your network to security scans by an approved vendor.

What are the Levels of PCI Compliance?

Compliance levels are based on the number of transactions you process in a given year.

  • PCI Level 1: Businesses processing over 6 million transactions per year
  • PCI Level 2: Businesses processing 1 million to 6 million transactions per year
  • PCI Level 3: Businesses processing 20,000 to 1 million transactions per year
  • PCI Level 4: Businesses processing less than 20,000 transactions per year

If you’re a small business or perhaps doing some sales on the side, you can see that you likely fall into Level 4. Many medium sized businesses, restaurants, bars and other businesses you may find around town, likely fall into PCI Level 2 or 3. Level 1 is usually reserved for very large companies. 

A few considerations

There are a few things to keep in mind when you’re determining your compliance level, getting PCI compliant and holding on to that designation.

Don’t guess

Your payment processor should have fairly robust reporting tools that allow you to see how many transactions you’ve processed. Get a firm understanding of this number and ensure you apply appropriately. Being too low can result in fines. Being too high means you’re paying for things you don’t need to.

Keep it front of mind

Security of your customers’ information should always be right on the top of your mind. It’s good business and bad data privacy policies can lead to some very expensive lawsuits.

Get help

PCI compliance can be confusing. Determining your level, understanding what you actually need to do - and most importantly, what you don’t - and keeping those programs running can be time consuming and expensive if you do things wrong.

Swipesum can help. Our proprietary software helps analyze your transactions to determine where fees might be bogging your business down. Our consulting services are designed to help you maximize your time running your business, not filling out paperwork.

Swipesum provides information on PCI in account approval emails, during onboarding, and after onboarding. We provide links and information for video tutorials that lead you through the questionnaires to get compliant.

Sydney Stribrny

Sydney Stribrny

Sydney is a rising senior at Washington University in St. Louis studying Media and Marketing. As Swipesum's Creative Director, Sydney creates, designs, and develops strategies for Swipesum's content. In her free time, she enjoys running, watching movies, and cooking.

Read more

Request a CONSULTATION

Meet one of our payment processing experts to see if working together makes sense.

We will schedule a quick consultation call to go over how you're currently handling merchant services, and present a proposal at no cost.

Man smiling while folding his arms

Swipesum.Insights

What Is the FedNow Controversy?
December 16, 2024
Minutes

SWIPESUM.CONSULTING

We help businesses make intelligent payment decisions.

Learn more about Swipesum

audit Merchant services Statements

Start with a free merchant statement audit and analysis

Schedule an audit

consultation

Connect with a payments expert and get a free initial consultation

Book consultation

By submitting this form you agree to receive information about Swipesum product updates via email as described in our Privacy Policy and Terms & Conditions.