Merchant PCI Compliance Demystified: Simplifying Security

In part two of our Cybersecurity Month blog series, we looked at the evolution of cybersecurity threats and why they’re becoming a bigger concern for the average merchant. This week, we’ll look at every merchant's first line of defense against cybercriminals—compliance with the Payment Card Industry Data Security Standard (PCI-DSS).

The PCI-DSS is a set of security protocols laid out by the Payment Card Industry Security Council—an organization formed by American Express, Discover Financial Services, JCB International, MasterCard and Visa. The purpose of the council and PCI-DSS is to protect consumers by ensuring merchants have the necessary security to stop (or deter) cyber attackers.

Thankfully, PCI compliance doesn’t have to be complex, especially for the average merchant.

As a payment provider, you are in an ideal position to educate your customers about PCI-DSS and cybersecurity. Helping your merchants navigate compliance will bolster their defenses and ensure your business maintains its competitive edge.

Why PCI Compliance Is So Important for Merchants

Meeting and maintaining the standards set out in the PCI-DSS is crucial for everyone in the payments ecosystem. PCI compliance benefits merchants and their payments providers by:

• Protecting consumer data from bad actors
• Protecting the merchant from the consequences of data breaches
• Helping merchants and providers avoid major fines

Protecting Consumers from an Army of Bad Actors

Merchants have a duty to protect their customers. Failing to do so can lead to enormous fines and significant reputational damage. In severe cases, merchants may go out of business altogether.

The PCI-DSS standards exist to protect consumer payment data from criminal exploitation. Shielding customers from fraudsters and cyber criminals is a constant battle. PCI compliance is the first (and arguably most effective) line of defense in that fight.

Protecting Merchants from Potentially Fatal Data Breaches

As we mentioned in part two of our Cybersecurity Month series, 60% of small businesses that fall victim to cyberattacks go out of business within six months. Direct data breaches aren’t as common as ransomware attacks but are far more expensive.

The average cost of a ransomware attack in 2023 is $1.82 million. The average cost of a full data breach is $4.45 million—two and a half times higher.

Cyberattacks can quickly put merchants out of business. Meeting basic PCI-DSS requirements goes a long way toward ensuring merchants are properly walled off from potentially devastating threats.

Avoiding Hefty Fines Levied by Card Networks

Because the credit card networks behind the PCI-DSS take it so seriously, they take failure to comply equally seriously. Merchants who consistently fail to meet PCI standards are subject to potentially heavy fines.

While the PCI-DSS doesn’t publish its fine schedule, merchants who fail to comply can be subject to fees ranging from $5,000/mo for early offenders to $100,000/mo for long-term non-compliance. These figures align with how card networks fine merchants with long-term histories of excessive chargebacks and fraud.

A $5,000/mo charge could put a small merchant out of business. Because of this, maintaining compliance is a must.

Why PCI Compliance Seems So Complicated

PCI compliance is essential to a merchant’s survival. So why would any merchant fail to meet the standards? In most cases, it’s because of a lack of understanding. Merchants fail to meet minimum standards because they don’t know what those standards are or they don’t know how to comply with them.

The reason so many merchants—and people at all levels of the payments industry—don’t understand PCI standards is that they’re incredibly complex on paper.

For instance, companies must meet multiple merchant classes and 12 high-level requirements depending on their operations. The PCI-DSS offers guides and checklists to make navigating these standards easier, but the sheer density of information in the rules can make them difficult to digest.

There are Multiple Levels of PCI Compliance

There are four PCI-DSS merchant levels that outline what a seller must do to be compliant. A merchant’s level is based primarily on their transaction volume, as follows:

• Level One: Six million or more total network transactions
• Level Two: One million to six million total network transactions
• Level Three: 20,000 to one million total network transactions
• Level Four: All other merchants

Card networks can also unilaterally decide to place a merchant at any level they want to for reasons outside of payment volume. But in the vast majority of cases, volume is the determining factor.

The 12 PCI-DSS Requirements (That Seem Intimidating)

Beyond the four levels, there are 12 high-level security requirements that any business subject to PCI-DSS must meet. They are:

• Install and maintain network security controls
• Apply secure configurations to all system components
• Protect stored account data
• Protect cardholder data with robust cryptography during transmission over open, public networks
• Protect all systems and networks from malicious software
• Develop and maintain secure systems and software
• Restrict access to system components and cardholder data with “need-to-know” security practices
• Identify users and authenticate access to system components
• Restrict physical access to cardholder data
• Log and monitor all access to system components and cardholder data
• Test the security of systems and networks regularly
• Support information security with organizational policies and programs

For small business owners, the list above may as well be in ancient Greek. In many cases, the requirements are somehow both technical and vague. However, the language contained in the PCI-DSS can often be boiled down to things merchants are already doing. Once you strip out the technical jargon, most merchants can easily understand and achieve PCI compliance.

Why PCI Compliance Can be Easy (With Your Help)

Unlike massive corporations, the average small- and medium-sized merchant can meet security requirements passively through the systems and processes they use daily.

For example, a company like Amazon uses custom-designed software systems, operates enormous data centers, stores vast volumes of customer information, has thousands of individual networks and employs hundreds of thousands of people. For them, PCI compliance is complex and challenging.

However, for an owner-operated business with less than 20 employees—a profile that represents almost 90% of businesses in the United States—PCI compliance is generally straightforward. That’s especially true if the software and payment systems they use are all off the shelf.

You can drastically minimize your merchants’ compliance burden by explaining PCI-DSS through a simpler framework and setting them up with the right payment systems.

How Technology Can Do Most of the Work for the Average Merchant

• To maintain compliance, merchants must:
• Secure on-site networks with passwords and firewalls
• Educate staff on the importance of security
• Remove access for departing employees
• Perform the required annual testing and assessments

Beyond these basics, most of the 12 PCI security requirements are automatically met through the systems merchants use daily; the most complex parts are already built into their technology. Common solutions include ecommerce platforms, payment gateways, payment hardware, point-of-sale systems, customer relationship management systems and value-added security tools.

eCommerce platforms: Online sellers using popular platforms like BigCommerce, Adobe Commerce and Shopify benefit from the PCI-Level 1 security built into those platforms. PCI Level 1 means a system meets the needs of large Level 1 merchants—the most stringent requirements of all.

Payment gateways: When a customer checks out, the payment gateway is responsible for sending the transaction data to be processed. This movement is when data is at its most vulnerable. To ensure security, top payment gateways use encryption protocols that exceed PCI-DSS requirements. Some, like the NMI payment gateway, also offer merchants advanced tokenization—the ultimate way to secure stored and transmitted payment data.

Payment hardware: Payment terminals act as the gateway during in-store purchases. Not only do they offer the same high level of encryption upon transmission of payment data, but merchants can also opt to use point-to-point encryption (P2PE). P2PE is a security standard that encrypts payment data earlier on in the process. The PCI Security Standards Council recommends using P2PE standards.

Point-of-sale systems: Modern point-of-sale (POS) systems allow merchants to meet several essential PCI requirements passively. For example, employees must log in to these systems with unique credentials, making it easy to log and track activity.

Customer relationship management (CRM) software: CRMs are a critical operational tool for merchants. Most are designed with PCI Level 1 security built-in. Not only do they meet login and tracking requirements like POS systems, but they also make limiting access to sensitive data extremely easy.

Value-added security tools: Various services are available that take security and PCI compliance to the next level. For instance, NMI Customer Vault eliminates the need for merchants to store customer payment data on their own servers, wiping some of the 12 security requirements from the merchant's plate entirely.

Helping Your Merchants Maintain Easy PCI Compliance

The most important thing you can do to help your merchants with PCI compliance is to build in-house expertise. This enables you to act as a trusted advisor. Whether it’s part of your standard support offerings or a paid upgrade, guiding merchants through their compliance journey is an invaluable way to differentiate yourself from the competition.

A big part of that guidance is ensuring your merchants use sales and payment systems that will automatically cover most of their needs. The best way you can do that is by offering those systems yourself. From up-to-date EMV-compliant payment terminals and payment gateways to value-added security tools, the more secure systems you provide your merchants, the lower their compliance burden will be.

Cybersecurity support will make your merchants’ lives easier and position you as a valuable long-term partner.

Partnering with NMI is the easiest way to access a suite of fully secured tools and services. Our fully modular payment platform provides one-stop access to everything you need to sell omnichannel payment services tailored to your merchants’ needs—including their security requirements.

Next Up: Keeping Your Merchants Safe Beyond Cybersecurity Month

Advanced tools are also the best way to protect your merchants from one of today’s most pressing threats—online fraud. Come back next week for the fourth and final part of our Cybersecurity Month series: an in-depth look at the ever-evolving web of fraud your merchants face and how you can help them avoid getting caught in it.

In the meantime, to find out more about how NMI can help you provide more secure systems to your merchants, reach out to a member of our team today.