What is PCI DSS Compliance & Why is it Important?
As our interactions and transactions become more digitized, data breaches on prominent companies such as Target, Facebook, and Microsoft have signaled that safeguarding your data (and your clients’) requires advanced security measures.
Those often affected by breaches include the likes of building and design professionals, especially smaller businesses which may be subject to more lax security standards. That characteristic doesn’t have to describe your business, however. A good place to start in preventing the theft of sensitive information is learning about PCI compliance.
If you’ve already started accepting credit card payments from clients, there’s a chance PCI compliance is already on your radar. If you don’t understand its inner workings yet, don’t stress—ClientPay can help. We’ll provide you with an overview of PCI compliance, including why it exists, what you can do to stay compliant year after year, and how it allows you to promote a high standard of professional business to your clients.
PCI compliance 101: What is PCI DSS compliance?
If your business accepts, processes, stores, or transmits credit card data, it must be compliant with the Payment Card Industry Data Security Standard (PCI DSS), which is enforced by the Payment Card Industry Security Standards Council (PCI SSC).
The council was created by the biggest credit card brands (Visa, Mastercard, Discover, JCB International, and American Express) to address security concerns related to credit and debit cards as well as prepaid cards. Each card brand has a list of requirements that businesses must adhere to in order to become compliant.
Although you aren’t required by law to be PCI compliant, adhering to its practices is an excellent way to keep payment data secured from hacking or other cyber attacks. As long as you follow the standards mandated by the PCI SSC, your building and design business will be using the latest techniques in data security.
It’s also worth noting that certain banks penalize merchants who fail to meet PCI compliance, ranging from $5,000–$100,000 each month depending on how long your requirements remain unfulfilled. Needless to say, adhering to these standards can save you from costly fines in the long run. The consequences of lacking compliance extend beyond a financial hit as well, including those aforementioned data breaches and irreversible damage to your business’ reputation.
Who does PCI compliance apply to?
Between each credit card brand, there are at least four levels of PCI compliance that businesses can fall under, each corresponding to the number of card transactions they process annually. The vast majority of AEC industry businesses that accept card payments would be categorized at the lowest possible level—those that process as little as 20,000 transactions per year (up to 1 million). For these businesses, all that is usually required is to complete a Self-Assessment Questionnaire (SAQ).
If you’ve already adopted online payments into your architecture, engineering, interior design, or construction business, you’ll complete SAQ A, which is the shortest option. Questionnaire A is required for “card-not-present merchants that have fully outsourced all cardholder data functions.” Utilizing ClientPay, a PCI-compliant, third-party processor, as your online payment solution gives you additional help completing your SAQ and maintaining compliance each year by offering personal assistance and answers to your PCI questions.
The six goals of PCI DSS compliance
The Payment Card Industry Data Security Standard contains six goals all businesses should aim towards to make their operations PCI compliant. We’ve summarized each goal below:
1. Build and maintain a secure network: Ensure that your systems have firewalls installed and regularly updated. Generate a strong, “hack-proof” password for your network and make use of password managers. Never use the default password provided by your network.
2. Protect cardholder data: The best online payment solutions store and protect sensitive cardholder data for you. However, if you do have cardholder data stored on your computers, be sure to enable whole drive encryption. Whenever you transmit sensitive data online, make sure the website has “https” at the beginning, which indicates a secure connection. Never transmit sensitive data through websites that have issues with their security certificate (your browser should warn you if this is the case).
3. Maintain a vulnerability management program: This simply means using antivirus and anti-malware software and keeping it up to date. Enable real-time monitoring to catch unauthorized access attempts when they occur. You also need to keep all your systems and applications up to date to avoid vulnerabilities. Watch for notifications on your machine about system updates and install them as soon as possible or enable automatic updates.
4. Implement strong access-control measures: This involves limiting access to sensitive cardholder data to only those with a business need to access it. We recommend creating unique logins specifically for employees who handle your bookkeeping, accounts receivable, and project management, considering the position heavily involves your financials. Furthermore, any physical card data stored in your office should be protected in a locked cabinet or safe.
5. Regularly monitor and test networks: This involves documenting who can access what and making sure these practices are working correctly. Test these security measures regularly by trying to access sensitive data on your systems through unauthorized users. If you have surveillance cameras onsite, monitoring servers, or access to physical card data, make sure they’re turned on and functioning as expected.
6. Maintain an information security policy: Draft a security policy that outlines how your business uses technology and handles sensitive data. Go over your security standards with each member of your team and anyone you do business with. To take your in-house documentation a step further, provide your clients with a credit card authorization form during the intake process if you need to protect yourself after submitting a charge. ClientPay offers a free, pre-drafted authorization form and unlimited assistance from our risk and fraud analysts in the case of a chargeback.
If you make these standards a habit within your business (and keep up with your annual SAQ), you can assure clients that their payment information is in good hands.
Why your compliance matters to clients, and how ClientPay makes it a breeze
In review, ensuring PCI compliance is important to upholding your reputation as a client-centric business, and ultimately, adding ClientPay to your repertoire is the easiest way to do so.
ClientPay makes it simple for AEC professionals to accept online payments with the year-round security needed to keep sensitive information in the right hands and the documentation to show that your business is PCI compliant. Managing these tasks on your own means losing out on ClientPay’s built-in lines of protection and hard-coded encryption used to lower your chances of suffering a data breach.
Clients trust businesses that openly value their convenience and privacy, making PCI compliance another way you can exceed your clients' expectations while also getting paid faster for your services.
To start using an online payment solution that helps you maintain PCI compliance year after year, schedule a demo of ClientPay today!