Most retail businesses accept credit card payments, which means they need to meet PCI compliance requirements.
Accepting credit card payment lets shoppers pay for your products through multiple payment methods like mobile wallets and card-not-present transactions.
But processing card payments means handling cardholder data, which requires you to take specific security measures to protect your customers and your business.
While consumers are using different ways to pay with credit cards, especially through tap-to-pay and contactless payments, small business owners often struggle with understanding how to meet PCI compliance requirements.
Whether it’s your first time accepting credit cards or you’re used to taking credit card payments, understanding and meeting PCI compliance requirements is complicated. You’ll learn exactly what PCI compliance is and how to satisfy requirements in this article.
Table of Contents
What is PCI compliance?
Payment Card Industry (PCI) compliance is a set of security requirements for organizations that process debit and credit card transactions. Payment Card Industry compliance includes the technical and operational requirements that businesses must meet in order to protect credit card data shared by cardholders.
The standard was created by the PCI Security Standards Council to increase controls around payment data to prevent fraud. You can create a PCI Compliance checklist to guide you and your team.
Who must be PCI compliant?
If your business accepts credit cards as a form of payment, your software and hosting must be PCI compliant.
Any type of business that handles, accepts, transmits, or stores payment card data, no matter the size or processing volume, must be PCI compliant.
Even if you only process two credit card transactions per month, you must comply with PCI requirements.
If you operate a third-party payment processor, you have to comply with PCI standards. Even if you don’t store credit card data, but it passes through your server, you still need to comply with PCI requirements.
By not being PCI compliant, companies put their customers and business at risk. Without the protection of PCI compliance, your business could be at risk of expensive data attacks and breaches.
Sell online and in-person with Shopify
Shopify POS is the easiest way to unify ecommerce and store sales and data. Have all the tools you need to manage inventory, track performance, understand customers, and sell everywhere in one easy-to-understand back office.
Requirements for PCI compliance
PCI compliance is a continuous process that requires regular evaluations of your current security systems and practices. It’s not a “comply once and then forget it” process. Instead, it’s a continual long-term effort to keep customer data safe.
Although PCI compliance can be complicated for retail businesses, it doesn’t have to be. Shopify is certified Level 1 PCI DSS compliant. If you host your store on Shopify, this compliance certification extends by default to your business.
The latest set of security standards, PCI DSS version 4.0, includes 12 key requirements with over 300 sub-requirements. Here are the main PCI compliance requirements businesses must follow:
- Use firewalls
- Install password protection
- Protect cardholder data
- Encrypt transmitted cardholder data
- Use antivirus software
- Update software regularly
- Restrict cardholder data access
- Unique IDs to access data
- Restrict physical access to data
- Create and maintain access logs
- Regularly test security systems
- Create and document policies
1. Use firewalls
Installing firewalls helps you build and maintain a secure network. PCI compliance requires merchants to install and maintain a firewall configuration to protect cardholder data.
2. Install password protection
Merchants need to protect sensitive card data with strong password protection. Avoid using vendor-supplied defaults for system passwords and other security measures. Set up your own unique passwords that would be hard for attackers to guess.
3. Protect cardholder data
Business owners need to take all precautions to protect cardholder data from theft or attacks. Data must be stored in a safe place that’s not vulnerable to a breach. Teach all team members about security and how to protect cardholder data.
4. Encrypt transmitted cardholder data
To better prevent data theft and attacks, merchants must encrypt the transmission of cardholder data across open and public networks. That way, should an attacker get hold of your data, they can’t use it.
5. Use antivirus software
Install antivirus software on your computers and regularly update it to protect your hardware from viruses. Regularly test that your antivirus software is active.
6. Update software regularly
Software providers often update their software to include new security features. Using the latest software updates helps ensure you’re protecting sensitive data to the best of your abilities.
7. Restrict cardholder data access
Restrict access to cardholder data to those who actually need it. Instead of granting your whole team access to cardholder data, only give access credentials to those working in financial departments.
💡 PRO TIP: With Shopify POS, you can assign different roles and permissions and set boundaries on what store staff can do in your POS system without manager approval—like changing a product’s price or applying a custom discount to a sale.
8. Unique IDs to access data
Provide a unique ID to each person with data access. When employees leave, make sure to change user names and passwords immediately to prevent data leaks. Set complex passwords for your employees to prevent people from guessing access credentials.
9. Restrict physical access to data
Limit physical access to data to those team members who require access for their job. Avoid storing sensitive cardholder data on computers or on paper.
10. Create and maintain access logs
Track and monitor all access to network resources and cardholder data with up-to-date access logs. That way, if you suffer a data breach it may be easier to trace its source.
11. Regularly test security systems
Before you experience a data breach or theft, know how strong or weak your security systems are so you can make necessary changes before it’s too late. Regularly test your security systems with cybersecurity professionals to evaluate whether they can withstand an attempted attack.
12. Create and document policies
Maintain a complete set of policies that explain your business approach to information security for employees and contractors. Update policies frequently so that all team members know and understand expectations when it comes to data security.
Importance of being PCI compliant
- Maintain secure systems
- Protect customer data and trust
- Be better prepared for additional regulations
- Reduce data breaches and fines
While PCI compliance isn’t a law, not meeting the requirements can result in costly fines, loss of reputation, and damage to customer relationships.
55% of consumers say that once a company has violated their trust, they will never give it their business again.
Being PCI compliant may incur some costs in the beginning, but it will save you from paying penalties or losing customers due to lack of trust.
Here are the top reasons for being PCI compliant.
Maintain secure systems
In its latest data security report, French tech firm Thales said that 71% of retail organizations surveyed said they had suffered a breach at some point and 39% were hit in the past 12 months.
Most merchants aren’t cybersecurity experts and may be unsure of where to begin when it comes to creating and maintaining secure systems. Following PCI compliance requirements can help businesses build solid security foundations and reduce the threat of data breaches.
Protect customer data and trust
Would you shop at a business if you knew it was likely your credit card information would get stolen? Probably not. Customer trust and confidence can impact your business‘s profitability. People are less likely to shop with you if they don’t feel confident in your ability to protect their data.
If you suffer a data breach, or your customers don’t feel confident in your security, you may lose sales. In fact, 66% of customers will stop buying if companies experience a data breach.
Being PCI compliant and sharing that with customers shows shoppers that you’re serious about security and you’re taking steps to protect their payment data. It gives you both peace of mind.
💡 PRO TIP: Sending digital receipts via email is a great way to organically collect customer contact information at checkout and build an email list to fuel your retention marketing. Just make sure they’ve opted in to hearing from you before sending them anything.
Be better prepared for additional regulations
If you’re already PCI compliant, it will be easier to meet future data security requirements. Next time additional regulations come into play, it’ll be a case of making adjustments to your current security framework as opposed to starting from scratch.
Reduce data breaches and fines
Following each of the 12 PCI compliance requirements helps you prevent data breaches in the first place. But if you're compliant and your business still suffers a data breach, the fines and penalties usually associated with breaches will be far lower.
Data breaches can cost your business a lot in both money and customer trust.
Between the cost of replacing credit cards, paying fines, compensation for what customers have lost, and investigations, the average data breach cost retail businesses $3.27 million in 2021.
That’s enough to sink most small retail businesses.
How to satisfy PCI DSS requirements
When it’s time to satisfy PCI DSS requirements, you can choose from three options:
- Complete self-assessment questionnaire
- Qualified Security Assessor
- Internal Security Assessor
Before you choose one of the three options, consider your business’s budget and security goals.
Complete self-assessment questionnaire
A self-assessment questionnaire (SAQ)is usually less expensive and time-consuming than the other options. For retail business owners who feel confident checking their security systems and making necessary updates, self-assessment may be the right choice.
Depending on your business size and type, you’ll have to choose the right SAQ.
David Lee, the founder of the online mirror business Neutypechic, prefers to use the SAQ because it reassures him that none of his customers’ data has leaked.
I constantly check whether my firewall is secure or not, so no financial information of my clients is leaked. This has allowed me to effectively meet the security protocols and monitor my online server.
Similarly, Jon Lynn, the founder of My Office Pod, prefers to use SAQs as they make it easier to be aware of their current protocols and take the right steps to improve them. So that they’re not completely dependent on their own assessment, the business also works with a compliance expert.
We assess all of our security protocols and fill out the questionnaire accordingly. We also have a compliance expert who is responsible for all assessments, SAQs, and reporting. We’ve chosen to go with SAQs because it allows us to be self-aware of our security protocols. Leaving it to an assessor would be like ignoring our responsibilities.
Qualified Security Assessor
A Qualified Security Assessor is an external third-party expert who’s trained to evaluate the security of your business. They’ll provide a detailed report on their findings and give recommendations for making improvements.
For retail businesses that want an independent assessment of their security systems, or who operate complex systems, a Qualified Security Assessor may be the right option.
Internal Security Assessor
An Internal Security Assessor is an employee of your business who’s responsible for assessing and lowering security risks. This option is best for businesses that want to have someone dedicated to PCI compliance within their organization.
Larger retail businesses with established systems and security processes may prefer to use an Internal Security Assessor. The benefit of satisfying PCI compliance through an internal security assessor is that they already know your business’s systems and security procedures.
By employing an Internal Security Assessor, you can evaluate your business’s security systems more frequently, which will help you prevent data breaches.
Ensure your retail business is PCI compliant
Whether you’re opening a brick-and-mortar store or setting up a pop-up shop, at some point you’ll have customers who want to pay with a credit card. To accept credit card payments, you’ll need to be PCI compliant. To make PCI compliance easier, choose an POS provider that is already PCI compliant.
Start taking in-person payments instantly
Every Shopify plan includes built-in payments processing with quick payouts and low rates, starting from 2.4% + 0c USD. Skip lengthy third-party activations, accept all popular payment methods, and start taking payments online and in-person faster.