See how in-house processing makes accepting credit cards fast, easy, and affordable.
Looking for a way to pay $0 for accepting credit cards? Our dual pricing, formerly known as cash discounting program provides a way for merchants to pass along the cost of accepting credit cards to their customers.
What is PCI compliance?
“PCI compliance” is shorthand for the processes required to meet the payment and data security standards established by the Payment Card Industry Security Standards Council. This organization, founded in 2006 by five of the major global payment brands (American Express, Discover, JCB International, MasterCard and Visa), provides detailed guidelines on all aspects of payment card security for merchants and payment service providers, along with resources including self-assessment tools, tutorials, and lists of approved providers.
What's the big deal then? What happens if I'm not compliant?
Credit card and payment system data breaches in retail have been big news recently, and if your business is unlucky enough to make the headlines, the negative effects can be difficult and long-lasting. Re-establishing customers’ trust in your business is usually far more expensive than doing everything possible to prevent data breaches in the first place.
While PCI compliance is not in itself an airtight guarantee of payment data security, it does cover many of the most common scenarios, significantly mitigating your loss potential. In essence, operating a modern-day POS system without being PCI compliant is like driving a car without insurance — there’s no problem until there’s an accident. Then the results can be anything from inconvenient to catastrophic.
In addition, data breaches carry real-world costs. Figures will vary depending on the size of your business, but they can run to:
How do I know if I'm PCI Compliant?
The best way to determine if your business is compliant is to complete the PCI DDS Self-Assessment Questionnaire (SAQ). There's a lot of resources online to assist with this, including the Council's website.
I'm still using Windows 7. Is this a problem?
Yes. As of January 2020, Windows 7 is no longer supported by Microsoft. Because of this, the operating system lacks current security patches and is increasingly vulnerable to breaches. If you are processing credit cards on a machine running Windows 7, you are not PCI compliant.
I'm still using Windows XP. Is this a problem?
Yes. As of April 2014, Windows XP is no longer supported by Microsoft. Because of this, the operating system lacks current security patches and is increasingly vulnerable to breaches. If you are processing credit cards on a machine running Windows XP, you are not PCI compliant.
What are some basic steps I can take to ensure compliance?
There are twelve basic steps you can take to protect yourself.
BUILD AND MAINTAIN A SECURE NETWORK
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
PROTECT CARDHOLDER DATA
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
MAINTAIN A VULNERABILITY MANAGEMENT PROGRAM
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
IMPLEMENT STRONG ACCESS CONTROL MEASURES
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
REGULARLY MONITOR AND TEST NETWORKS
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
MAINTAIN AN INFORMATION SECURITY POLICY
Requirement 12: Maintain a policy that addresses information security
If I purchase a POS system from POS Nation, will it be PCI compliant?
Perhaps the most important question — but yes, all of our software and hardware ships out PCI compliant. Although ongoing compliance is determined by our customers, we position every merchant to succeed and remain compliant.
How do I stay PCI compliant?
Remember that PCI compliance is not a one-time event, but an ongoing process. Hackers and cybercriminals are constantly looking for new weaknesses in payment systems and networks, and while the biggest retailers make the news, small businesses are by no means immune.
The PCI DSS [Data Security Standard] outlines three broad steps in ongoing PCI compliance:
I. Assess: Identify cardholder data, take an inventory of your IT assets and business processes for payment card processing, and analyze them for vulnerabilities that could expose cardholder data.
II. Remediate: Fix vulnerabilities and do not store cardholder data unless you need it.
III. Report: Compile and submit required remediation validation records (if applicable) and submit compliance reports to the acquiring bank and card brands you do business with.
What other useful resources are out there?
Several other websites dedicated to PCI compliance exist such as PCI Compliance Guide and NDB Advisory.
What is EMV? What are chip and pin cards?
Used interchangeably, EMV cards or chip and pin cards are credit and debit cards that contain an embedded computer chip. Your cards most likely have a chip in them.
So what’s my potential liability?
First, you’ll be on the hook for chargebacks. Depending on your business, that may or may not be a big deal. More importantly, however, EMV transactions and cards are significantly harder to hack than traditional credit cards.
So, if you’re not taking EMV cards, your chances of being breached just went way up – and as more and more merchants accept EMV, hackers will increasingly target the remaining non-EMV merchants.
Will I be fined if I don’t accept EMV cards? Will I be running my business illegally?
No. EMV is being mandated by the PCI Security Standards Council, which is composed of the major card issuers like Visa, MasterCard, Discover, and American Express.
These companies obviously have no legal authority, but since you’re accepting their cards, they get to dictate the rules.
My bank is insisting I upgrade. What about that?
Not surprisingly, most banks are advocating EMV as a means of risk reduction, and we can’t blame them. No matter what they say however, we promise your POS system isn’t going to blow up.
Yes, you will be operating with increased risk, but most experts believe that full EMV adoption will take at least five years in the United States.
Am I going to have to buy new equipment to accept EMV cards?
Maybe. EMV-capable pinpads and card readers have been on the market for a few years. If you don’t have one, then you’ll need one to accept EMV cards.
Even if you do own one of these card readers, you’re not totally in the clear. Each pinpad will need to be certified with each processor and each POS software – yeah, it’s complicated.
This isn’t cool. Why should I have to purchase new equipment?
The likes of Visa, MasterCard, Discover, and American Express are driving this train, but the end result should be a net positive for the system as a whole with less fraud – even if that means having to purchase a new card reader now.
What are some basic steps I can take to ensure compliance?
There are twelve basic steps you can take to protect yourself.
BUILD AND MAINTAIN A SECURE NETWORK
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
PROTECT CARDHOLDER DATA
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
MAINTAIN A VULNERABILITY MANAGEMENT PROGRAM
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
IMPLEMENT STRONG ACCESS CONTROL MEASURES
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
REGULARLY MONITOR AND TEST NETWORKS
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
MAINTAIN AN INFORMATION SECURITY POLICY
Requirement 12: Maintain a policy that addresses information security
If I purchase a POS system from POS Nation, will it be PCI compliant?
Perhaps the most important question — but yes, all of our software and hardware ships out PCI compliant. Although ongoing compliance is determined by our customers, we position every merchant to succeed and remain compliant.
How do I stay PCI compliant?
Remember that PCI compliance is not a one-time event, but an ongoing process. Hackers and cybercriminals are constantly looking for new weaknesses in payment systems and networks, and while the biggest retailers make the news, small businesses are by no means immune.
The PCI DSS [Data Security Standard] outlines three broad steps in ongoing PCI compliance:
I. Assess: Identify cardholder data, take an inventory of your IT assets and business processes for payment card processing, and analyze them for vulnerabilities that could expose cardholder data.
II. Remediate: Fix vulnerabilities and do not store cardholder data unless you need it.
III. Report: Compile and submit required remediation validation records (if applicable) and submit compliance reports to the acquiring bank and card brands you do business with.
What other useful resources are out there?
Several other websites dedicated to PCI compliance exist such as PCI Compliance Guide and NDB Advisory.
