Any customer who buys goods or services using a credit card is trusting businesses with their payment information. Because of this, any business that handles, processes, or stores credit card information is required to be PCI compliant in order to protect their customers’ information.

Being PCI compliant not only allows you to maintain a merchant’s license, which lets you make transactions using cards, but it also ensures you are following basic security procedures that will protect your customers’ data, which in turn helps you keep their trust. Read on below to learn what your Alabama business needs to do to become PCI compliant.

What Is PCI Compliance?

hand holding credit card in front of laptop symbolizing pci complianceAlso known as PCI DSS, the Payment Card Industry Data Security Standard is a set of standards used to ensure businesses meet a minimum level of security in handling customer information. The Payment Card Industry Security Standards Council was formed in 2016 by major credit card companies MasterCard, Visa, Discover, American Express, and JCB International.

Although compliance is not required by federal law, many state laws make it mandatory for businesses to meet standards based on or similar to the PCI DSS. And even if your state doesn’t enforce PCI compliance, if your business is noncompliant you risk losing your merchant account, which enables you to accept credit card transactions through a business bank account.

How Do I Become PCI Compliant?

There are four tiers that a company can be placed into when it comes to PCI requirements. These levels are generally classified by the amount of transactions your company makes in a year.

  • Level 1: companies that make six million or more transactions in one year
  • Level 2: companies that make one to six million transactions in one year
  • Level 3: companies that make 20,000 to one million transactions in one year
  • Level 4: companies that make 20,000 or fewer transactions in one year

(Note: If a business has suffered a data breach or attack that compromised customer data, they may be moved up to a level 1 classification, which requires the most stringent processes to prove compliance.)

If you own a small to medium-sized business, your company will most likely be placed into level 3 or 4. For such companies, becoming PCI compliant involves two steps. The first is to complete a yearly Self-Assessment Questionnaire (SAQ). The SAQ involves a series of questions that outline PCI security levels of your business, and it is segmented into categories based on how your business handles client information.

You’ll be required to answer questions concerning requirements for passwords and authentication, how data is transmitted, processes for working with service providers with whom customer information is shared, and other topics. You will also be required to list any payment processors or other third-party services with whom you share payment information in order to check their PCI compliance as well. Finally, you will complete an Attestation of Compliance included within the SAQ.

The second step is to pass a PCI security scan, which needs to be conducted four times each year by an Approved Scanning Vendor (ASV). This precautionary evaluation performed by a certified third party will make sure that your processing solutions are functioning within security standards.

What Happens if My Business Is Noncompliant in Alabama?

In Alabama, there are some laws in place that are similar to some of the PCI standards, including the Alabama Data Breach Notification Act. However, even if compliance with all parts of PCI is not legally enforced, there are still serious penalties that could occur if your company is not PCI compliant in Alabama. Credit card companies can levy a fee between $5,000 and $100,000 a month on your bank, which will turn the charge over to you, until you are able to meet their standards. You can also lose your merchant’s account at your bank, and you will certainly lose the trust and business of customers.

Even more costly than noncompliance are the consequences that can result from taking data security lightly. By not maintaining the minimum standard of payment information security required by PCI, you leave your customers’ data open to breaches that result in theft and fraud.

How Can Managed IT Services Help?

Fortunately, a Managed Service Provider (MSP) can help you reach PCI compliance by testing and upgrading your security and giving you personalized solutions for your business. MSPs can conduct PCI audits so you know that you meet all the requirements to become compliant.

Ultimately, you can avoid massive penalties should you take the small yet necessary steps to becoming PCI compliant. And an Alabama Managed Service Provider can make the process easier by protecting your data in all areas of your business, from your payment processor to the transmission of your data to password authentication.