Let’s read the small print together…
Accepting credit card payments at your business opens up a lot of doors. In doing so, you’ll stand to benefit from quicker, safer payments, a more streamlined sales process, and better customer service. You’ll even attract a whole new generation of increasingly cash-phobic customers.
There’s little room for argument. Credit card processing is a potent, powerful way of elevating your business to the next level.
Yet with great power comes great responsibility. As a merchant, you are required to know exactly what’s expected of you when it comes to the rules and regulations of the payments industry. And we won’t sugarcoat it – there are a lot of them.
So prepare to get acquainted with the credit card laws your business needs to know about. Whether you’re new to accepting credit card payments, or a veteran just looking to brush up on the basics, our guide is a stress-free, jargon-free route to complete credit card compliance. Scroll on to get started, or dive into the list below to jump straight to a specific section.
If you’ve already spent a bit of time researching different merchant services providers, you’ll have seen these three letters popping up a lot. But what do they mean?
PCI: The Basics
PCI is short for ‘Payments Card Industry’. The PCI is responsible for administering a strict set of rules, known as PCI DSS (Payments Card Industry Data Security Standards). It’s an industry-wide group of guidelines dedicated to preventing fraud.
PCI DSS was set up by the Data Security Council, a body made up of the big credit card brands, including Mastercard, Visa, American Express, and Discover.
PCI DSS credit card processing laws help safeguard the cardholder’s data when a transaction takes place, and all merchants, financial institutions, payment processors, and merchant services providers are responsible for upholding them. This is known as PCI compliance.
PCI compliance doesn’t just protect your customers, though – it’ll protect your business from data breaches, and help you swerve the crippling cost of fraudulent transactions. Plus, not complying with PCI standards comes with big fines – meaning it’s best to get wise to them sooner rather than later.
So how do you achieve compliance?
How Do You Ensure Your Business Is PCI Compliant?
How you’ll remain PCI compliant depends largely on the type of company you’ve chosen to process your credit card payments.
Dedicated (or traditional) merchant accounts set up with a bank or independent company may require you to take PCI compliance into your own hands. This involves validating your current data security standards by filling out a Self-Assessment Questionnaire (SAQ).
The PCI has nine different forms. Which one you must fill out is based on your transaction volume, and the method you use to accept credit card payments. It’s your job to figure out (or hire someone to figure out) which form is relevant to you, and ensure it gets completed on an annual basis.
Based on how much you’re processing, you’ll be sorted into one of four ‘levels’ of compliance. Let’s take a look:
The Four Levels of PCI Compliance
PCI Level 1
Level 1 is for businesses that process more than six million payments a year, so it’s basically just for large companies. As you can imagine, this level of PCI compliance is the most expensive; it comes with extra hardware and software costs to meet the standard, plus the fees involved with training an internal auditor.
To comply, businesses must complete an annual self-assessment questionnaire, and face quarterly scans via a PCI-approved ASV (Approved Scan Vendor).
- Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA) or internal auditor
- Quarterly network scan by an ASV
- Attestation of Compliance form
PCI Level 2
Level 2 is for businesses processing between one million and six million payments a year. To comply, merchants must complete an annual self-assessment. They also get a quarterly ASV scan, plus an on-site assessment.
- Annual Self-Assessment Questionnaire (SAQ)
- Quarterly network scan by ASV
- Attestation of Compliance Form
PCI Level 3
Level 3 refers to businesses that take between 20,000 and one million ecommerce payments annually. Level 3 compliance involves an annual self-assessment, as well as a quarterly ASV security scan.
- Annual SAQ
- Quarterly network scan by ASV
- Attestation of Compliance Form
PCI Level 4
Level 4 refers to businesses that process up to 20,000 payments a year via ecommerce, or up to one million payments via other channels.
- Annual SAQ recommended
- Quarterly network scan by ASV, if applicable
- Compliance validation requirements set by merchant bank
Jump to: Jargon Buster
PCI: The 3-Step Process
There’s a whole other bunch of stuff involved with remaining compliant, too.
It’s also important to note that PCI compliance is an ongoing process; complying isn’t a one-time thing, but a constant cycle of assessment and reporting. PCI’s ‘3-Step Process’ serves as a good guide to get going with:
REMEDIATE: Fixing vulnerabilities and eliminating the storage of cardholder data unless absolutely necessary.
REPORT: Compiling and submitting required reports to the appropriate acquiring bank and card brands.
Basically, it’s all very complicated – particularly for small businesses just starting out. Plus, though PCI DSS sets out important standards for merchants, it’s not necessarily enough – i.e., it won’t provide adequate protection for all payment environments. Is there an easier way?
Yes, there is. That’s why we recommend opting for a payment service provider that’s completely PCI compliant.
Providers such as Square, iZettle, and Heartland Payment Systems provide you with payments infrastructure that already meets the PCI’s strict standards, helping ease the burden of compliance. Sure, some merchant account providers may charge for the privilege of a PCI compliant solution, but trust us – in the long run, it’s worth it. And it’s better than a hefty fine!
As PCI expert Mike Dahn of Stripe says:
“This approach provides agile businesses a way to mitigate a potential data breach, and avoid the emotional, time-consuming, and costly historical approach to PCI validation.”
The bottom line? Ensure you understand exactly what your obligations are before signing a contract with a merchant services provider. Your payment service provider should always be able to talk you through which elements of PCI compliance are handled by them, and what (if anything) you’ll need to do on your end.
The Durbin Amendment
The Durbin Amendment, part of the Dodd-Frank law of 2010, slashed the amount that card associations were legally allowed to charge for interchange fees on debit card transactions. The idea was to lower retailer’s costs, and ultimately drive down costs for the consumer, too.
Interchange fees, which averaged out at around $0.44 per transaction, were slashed more or less in half, being capped at $0.22 + 5% per sale. Awesome, right?
Well… not exactly. While it drove down fees, The Durbin Amendment had unintended consequences for small businesses. Because, while the interchange rate was halved, the transaction fee was more than doubled. The result? Merchants averaging sales of $15 or less actually ended up paying more fees than they did before the Durbin Amendment came into force.
Basically, what The Durbin Amendment means for merchants is that you’ll actually stand to save money if you process a lot of card transactions, or deal mainly in higher value sales. For businesses with a lower average debit card transaction value, it may end up costing you more.
What is good, though, is that The Durbin Amendment didn’t affect smaller banks and credit unions, which got to sidestep the loss of revenue the big banks faced. This allowed smaller banks to keep fees low – ideal for new merchants looking to jumpstart their business with low credit card processing rates.
IRS Mandate (Section 6050W)
We couldn’t get through an article about rules and regulations without mentioning the IRS (Inland Revenue Service), now could we?
Nope. And here’s where Section 6050W comes in. According to the IRS…
Bleurgh. In plain English, this means merchants need to report their yearly gross transactions processed with a credit, debit, or co-branded card to their merchant services provider. This is then passed along to the IRS. It’s kind of like a tax return, but for merchants accepting credit card payments.
PA-DSS (Payment Application Data Security Standards) is another credit card processing law you’ll want to know about. It’s a rule mandating that any POS (Point of Sale) equipment or terminals must meet the PCI’s set of standards.
There are two reasons why PA-DSS is good news for merchants. First, PA-DSS compliant POS equipment helps you remain PCI compliant. Second? Meeting PA-DSS standards is entirely the POS system technology supplier’s responsibility – not the merchant’s.
Like many of the best things in life, credit card processing comes with rules, regulations, and laws. But you shouldn’t see these as barriers to your business, or as restrictions dragging you down. Rather, they’re there to keep your business and your customers safe – to prevent fraud, reassure your patrons, and help you avoid big fines.
It’s also important to remember that credit card processing regulations and rules aren’t just a box to be ticked, then you’re done. Nope – fraudsters are constantly evolving, so the laws have to as well. That means you’ll need to examine your own cardholder data practices on an ongoing basis, to ensure that you’re doing right by your customers.
Talk to your payment service provider about what PCI requirements – if any – fall under the scope of your business’ responsibilities. And again, if you’re in the process of choosing a merchant services provider, make sure you know exactly how PCI compliance is being handled, and what the costs involved will be.
OK, so our guide wasn’t completely jargon-free. No matter – you’ll find all the industry’s most important (and most baffling!) acronyms below.
ASV (Approved Scanning Vendor): an organization which validates DSS requirements.
PA-QSA (Payment Application Qualified Security Assessor): organizations qualified by the Council to have their employees assess compliance.
PCI (Payments Card Industry Data Security Standard): Better start again!
PFI (PCI Forensic Investigator): establishes, then maintains rules and requirements regarding PCI eligibility.
QIRs (Qualified Integrators and Resellers): provide opportunity for eligible professionals of qualifying organizations to receive training and qualifications on secure installation security.
QSA (Qualified Security Assessor): employees of an organization qualified by the Council.
SAQ (Self-Assessment Questionnaire): a checklist provided by the PCI Security Standards Council for validating your own adherence to PCI requirements.