x
Alumni

Understanding PCI Compliance

You've likely heard about data breaches in the news lately. In one of the largest data breaches last year, at Equifax, the private data of 146 million Americans was exposed. Hackers obtained access to social security and driver’s license numbers, passport information, and over 200,000 credit card numbers. If you’ve ever used a credit card to make an online or over-the-phone purchase, you know that’s all the information you need to make a purchase.

 

Cyber security measures don’t just protect against theoretical threats, but very real ones that can cause very real damage. This damage affects the immediate financial stability of a business—and the trust consumers place in a brand.

 

But it’s not just large companies like Equifax that experience data breaches. Small businesses are targeted at an increasing rate. According to UPS Capital:

 

  • Almost two-thirds of all cyberattacks are now directed at small business.
  • A cyber attack can cost a small business between $84,000 and $148,000.
  • 60% of small businesses go out of business within six months of an attack.
  • 90% of small businesses don’t use any kind of data protection for company and customer information.

 

As you can imagine, the payment card industry takes notice of thefts like this. That’s why the major card brands (Visa, Mastercard, Amex, Discover, JCB) came together to establish a system of security rules. That system is called PCI DSS: Payment Card Industry Data Security Standard, or “PCI compliance” for short. Its goal is to keep cardholder information out of the hands of fraudsters who would use it maliciously.

 

The payment card brands don’t just hold themselves to this standard; they expect everyone who processes transactions with their cards to adhere as well. If you use a payment processor that isn’t PCI compliant to accept your payments, you may lose a lot of precious time and hard-earned money.

 

PCI compliance has a lot of moving parts that require constant attention. You must pass a yearly audit (yes, audit—it's not just the IRS who shows up and needs to look at your books) showing your payment environment meets each applicalbe PCI requirement. And depending on your payment processor, if you're found to be noncompliant with all PCI standards, you can expect fines up to thousands of dollars per year.

 

PCI DSS audits can vary depending on the size of your business. For processors like Square, we undergo an annual PCI audit conducted by a PCI Qualified Security Assessor.

An on-site audit typically involves the following:

 

  • Interviews to understand the environment and security procedures the organization uses to meet the PCI DSS requirements
  • Testing to confirm that the security mechanisms have been implemented, function as intended, and meet PCI DSS requirements;
  • Pulling together hundreds of documents, policies, procedures, and audit artifacts to address the over 300 individual DSS requirements
  • 2-3 months of audit work

 

Any organization has to achieve a 100% success rate on all of these audit procedures to pass. As you can imagine, it takes a long time and a lot of effort, so many businesses turn to a third-party firm to manage everything that comes with PCI compliance. While that may save them money in potential fines, it costs plenty in fees paid out to the third party.

 

As a Square seller, however, you don’t need a dedicated company or consultant to make sure you’re PCI compliant. Our team manages compliance so you can focus on running your business, and we do it at no additional cost to you. Square is the merchant of record for every transaction you make through our devices and software. Since Square is PCI compliant, the payments you accept with us are too.

 

The only thing to make sure of on your end is that you don’t store cardholder information (card number, cardholder name, expiration date etc.) outside of your Square device(s).

 

The reputation and success of your business depend on your customers’ ability to trust that their data is secure with you. Luckily, Square is here to do the heavy lifting so you and your customers can feel safe doing business with each other.

 

Have you ever lost time or money in the effort to be PCI compliant? We want to hear about it. The more we know about your story as a seller, the better-equipped we are to provide you with the most effortless experience possible.

Message 1 of 7
18,364 Views
1 Best Answer
Admin

Best Answer

If you would like to learn more about PCI Compliance and Square's Security, check out our upcoming Q&A! @flee is the head of our Information Security Team and will be feilding your questions. You can start asking questions now on Live Q&A: Ask us anything about Square and Security and they will be answered live on the day of the Q&A! 😊

View Best Answer >

Message 2 of 7
32,284 Views
6 REPLIES 6
Admin

Best Answer

If you would like to learn more about PCI Compliance and Square's Security, check out our upcoming Q&A! @flee is the head of our Information Security Team and will be feilding your questions. You can start asking questions now on Live Q&A: Ask us anything about Square and Security and they will be answered live on the day of the Q&A! 😊

View Best Answer >

Message 2 of 7
32,285 Views

I formerly used a large credit card processor and had a much lower per sale rate than Square. While investigating Square I looked at all the other fees I was being charged, eg. Batch Close Fees, Statement Fees, Yearly PCI Compliance Fee (in addition to the time required to fill out the self-compliance questionaire).

 

I found that even with Square's higher rate, by eliminating all those extra fees I saved enough money to pay for my Square stand, iPad, printer, and chip card reader in less than six months. Using Square invoices online saves me more money over having to manually key cards for my out-of-state customers.

 

 

Message 3 of 7
8,685 Views

One of the reasons we switched to Square was we did not like having to take the PCI test every year and being charged $50 to do it!

Message 4 of 7
9,355 Views

You're lucky! Our processor was charging us $150.00 yearly for PCI compliance.

Message 5 of 7
8,534 Views

Are you saying that not only do I not need to fill out the DSS self assessment form but I also do not have to have a PCI compliant network if I use my wireless or a hardwired network connection for any of the Square devices?

Message 6 of 7
2,866 Views
Admin

@beransom Square is PCI compliant - so when you use Square to accept payments your payments are automatically compliant too. There's some more information about this on the Town Square blog that might help: PCI Compliance: What You Need to Know. Alternatively, if you have questions about your specific business set up  you can give us a call

Helen

Seller Community Manager, Square

Did you find help in the Seller Community? Mark a Best Answer to help others!
Find step-by-step help in our Support Center
Message 7 of 7
2,852 Views