Whether you’re a large corporate enterprise or a small flower shop, you’ve probably heard of PCI compliance. And what you’ve heard may sound really complex. But not to stress! If you sell with Square, we take care of PCI DSS compliance on your behalf so that securitization isn’t your full-time (and very costly) job — it’s ours.
Square seller or not, it’s still a good idea to understand PCI compliance, since adhering to it is part of protecting the safety of your customers’ financial information and your business.
Here’s what your PCI compliance checklist could look like if you sell with Square:
PCI Compliance Checklist for 2017
|#||PCI DSS Compliance Requirement||Comes Free with Square|
|1||Install and maintain a firewall configuration to protect cardholder data.||✓|
|2||Do not use vendor-supplied defaults for system passwords and other security parameters.||✓|
|3||Protect stored cardholder data.||✓|
|4||Encrypt transmission of cardholder data across open, public networks.||✓|
|5||Use and regularly update anti-virus software.||✓|
|6||Develop and maintain secure systems and applications.||✓|
|7||Restrict access to cardholder data by business need-to-know.||✓|
|8||Assign a unique ID to each person with computer access.||✓|
|9||Restrict physical access to cardholder data.||✓|
|10||Track and monitor all access to network resources and cardholder data.||✓|
|11||Regularly test security systems and processes.||✓|
|12||Maintain a security policy and ensure that all personnel are aware of it.||✓|
*This PCI compliance checklist was retrieved on January 2, 2017 and may not be up to date, so be sure you’re compliant by selling with Square or by visiting the PCI Security Standards Council website.
What is PCI compliance?
The PCI Data Security Standard (PCI DSS) is a set of rules meant to ensure that all companies safely accept, process, store, or transmit cardholder data (i.e., credit card information).
PCI DSS is managed by the PCI Security Standards Council, an independent body founded by the five largest credit card brands — American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa. It was launched in 2006 to improve the security of the transaction process and payment technology life cycle as a whole.
The PCI Council and the five credit card brands believe that sellers and organizations that accept credit cards are primarily responsible for the security of those transactions — which is why it’s crucial that highly secure technologies and measures are in place to prevent theft of cardholder data.
What do PCI-compliance requirements mean for your business?
If you’re using multiple independent providers to service your payment life cycle (this could include different providers for your physical or virtual terminal, POS software, payment processor, and acquiring bank), then you’re likely sending and storing your customers’ data between these different providers. As such, you’re probably responsible for self-validating and maintaining your business’s PCI compliance.
Why are you responsible? Each time you pass data between one of these providers, PCI-compliance standards say that you, as the seller, must ensure that each step in this life cycle is encrypted and that data is protected — encoded in a way that only authorized parties can read. To be sure that each step is protected, the PCI Council distributes a self-assessment questionnaire, which is a checklist of requirements that you’re responsible for fulfilling, depending on your business’s transaction volume.
PCI compliance checklists: Who needs one?
For non-Square sellers, the liability to validate and maintain PCI compliance typically falls directly on your shoulders. So it’s wise to check with your acquiring bank to understand if you’re liable and if there are vulnerabilities that could pop up in any part of your card-processing life cycle: places like your physical terminal, your POS software, or cardholder data transmission to service providers. The systems operated by your service providers — also known as the banks that service your merchant account — could also put you at risk for noncompliance and data breaches.
If you’re responsible for validating your PCI compliance, you must first determine the level at which you need to be compliant (here’s a helpful guide), then take the necessary steps recommended for your business type. Depending on your annual transaction volume, the requirements for businesses to maintain PCI compliance could include some or all of the following steps:
Hiring an approved scanning vendor (ASV) that might perform network and system scans
Completing an annual self-assessment questionnaire (SAQ) or checklist; this is a tool used to report the results of your PCI DSS self-assessment and validate your standing
Hiring a qualified security assessment vendor (QSA), which is essentially a digital security firm qualified to perform PCI DSS assessments at your business
Take PCI compliance off your plate with Square.
Is your head spinning yet? You could read this 40-page guide, complete an exhaustive PCI self-assessment, and/or pay a third-party consultant (like the ones listed above) a lot of money to ensure you’re up to date on PCI-compliance standards. Or you could use Square, which requires no filing, no paperwork, and no additional cost.
If you use Square for all storage, processing, and transmission of your customers’ card data, you won’t need to take any steps to become PCI compliant and you won’t need to pay any PCI-compliance fees—so you can toss your PCI compliance checklist once and for all.
Square users aren’t required to self-validate their PCI compliance, or need to worry if they’re meeting checklists for PCI compliance. That’s because our hardware, software, and processing methods are encrypted, tokenized, and PCI-compliant from end to end.
Square’s card-processing systems adhere to the PCI DSS to alleviate these vulnerabilities and protect cardholder data on your behalf — so you don’t have to worry about hiring costly consultants or conducting exhaustive reviews of your payments hardware and software.
And since Square is the merchant of record for every transaction, we deal with the banks on your behalf and take care of the PCI-compliance checklists, regulations and processing for you so that you can focus on running your business. We’ll advocate and work in good faith to resolve any disputes related to a transaction.
Best of all, we provide PCI-compliant hardware and software at no additional cost to you. We never charge extra monthly fees or force you to complete checklists to demonstrate PCI compliance. We do it all free on your behalf.
Learn more about privacy and security at Square and check out this article about best merchant practices for accepting credit cards.
See How Much You Can Save with Square
Want to toss your PCI Compliance checklist for good? Contact our sales team for a competitive custom rate.