What’s PCI compliance and why is it important?
- Overview: PCI protects businesses and customers
- Frequently Asked Questions
- How Melio protects you
- How to become PCI Compliant
- Be sure your payments are secure
Paying and getting paid online can be intimidating, so you want to make sure the tool you’re using to handle your money complies with regulatory laws. When working with an online tool such as Melio, you first should ensure PCI compliance.
In this guide, we’ll explain exactly what that means and why this is important.
Overview: PCI protects businesses and customers
No matter the size of a business, when you as a customer pay using a credit or debit card, the business is responsible for ensuring your information remains safe from data breaches, identity theft, and fraud.
What is PCI compliance?
To protect customer data, businesses should ensure they are PCI compliant. Following PCI requirements means implementing effective security standards that protect against common vulnerabilities and exploitation.
Payment Card Industry Data Security Standard (PCI-DSS), is the set of 12 security standards businesses must follow to secure and protect cardholders’ data.
Frequently Asked Questions
Working with PCI-compliant providers allows you to pay using your credit card without worries. Let’s break down some of the most common questions related to PCI compliance so you can understand what it all means and why it’s important.
Who must be PCI compliant?
Any company that accepts, transmits, or stores a cardholder’s private information must be PCI compliant. It doesn’t matter how the business receives payments, whether it’s primarily through transactions from accounts payable software, customer credit card transactions, or another form of payment processing; PCI compliance is the baseline security standard.
Here’s an example; Let’s say you own a coffee shop and you’re looking for an easier way to pay your suppliers. You decide to use a digital B2B payments service to start paying your vendor, Calvin’s Coffee Beans.
If you use a card to pay them, the payments platform must be PCI-compliant. Digital payment solutions will often use third-party card processors, which should also be compliant.
We’ll go into more detail on how you can tell if a company is secure and at which level.
Who mandates PCI compliance?
The Payment Card Industry Security Standards Council (PCI SSC) is made up of members from five major credit card companies, who established the rules and regulations known as PCI.
The PCI SSC is responsible for enhancing security practices related to credit card transactions by overseeing PCI compliance and providing organizations with a range of resources.
Some of these include:
- Self-assessment questionnaires (SAQ), which help to validate compliance.
- Lists for Qualified Security Assessors (QSAs), Payment Application Qualified Security Assessors (PA-QSAs), Approved Scanning Vendors (ASVs), and educational programs for Internal Security Assessors (ISAs).
The PCI SSC updates the requirements for compliance every once in a while, with the most recent version released in March 2022.
Is PCI compliance required by law?
PCI DSS is a security standard, not a law, meaning compliance is not determined or enforced by the government.
However, businesses that do not comply with PCI DSS may be subject to penalties and fines, which are built into the contract between merchants, payment processors, and card brands.
What happens if a merchant is not PCI compliant?
When you work with a tool that’s not PCI compliant, you are putting your sensitive information at risk and you are exposed to sanctions by the major payment brands.
How can I tell if a company is PCI-compliant?
Certified companies who handle card data will have a security section on their website, detailing the types of security standards and level of PCI compliance. An attestation of compliance (AOC) must also be presented by the merchant or service provider.
You’ll typically see PCI’s message and logo at the bottom of the webpage when prompted to enter any sensitive information.
Melio’s security information can easily be found on our website and help center.
Next, let’s take a look at how Melio protects your data.
How Melio protects you
Is Melio PCI compliant?
Melio’s top priority is to be the safest and most secure platform at hand.
Melio is fully compliant with the PCI-DSS. We use a third-party card processor which is a certified Level 1 PCI Compliant Service Provider (the highest level), and don’t store any sensitive credit card information on our servers.
To ensure top-level security, Melio and its third-party card processor test the system daily (manually and automatically).
Next, we’ll cover the different levels of compliance so you can get a better understanding of Melio’s security level.
The 4 levels of compliance
PCI compliance is split into four different levels depending on the number of transactions businesses handle annually.
To comply with PCI-DSS, level 1 merchants must have a qualified security assessor (QSA) or internal security assessor perform an onsite audit every year. The assessor will review the PCI requirements and compare them with the findings from the onsite audit to complete an annual report on compliance.
Levels 2, 3, and 4 can achieve PCI compliance simply by completing the SAQ and meeting the corresponding requirements.
Many companies such as Melio utilize merchant banks and third-party services that handle much of their PCI compliance requirements. It is still the business’s responsibility to ensure any third parties they work with on credit card transactions are PCI compliant.
What are the PCI requirements?
The PCI-DSS requirements are broken down into six distinct goals, each of which can be further expanded to cover the 12 requirements of the PCI-DSS.
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
12 major requirements define PCI compliance:
How to become PCI Compliant
As a small business, even if you do accept credit card payments, you are using a third party to process those payments. Before you choose a processor, you should learn if they are also PCI compliant. You probably don’t need to become a compliant organization yourself, but in case you wonder how companies become one, we’re here to clarify.
Organizations can become PCI-compliant by following this process:
- Determine PCI level – find out the number of transactions processed annually. Each of the five payment card brands (American Express, Discover, JCB, Mastercard and Visa) has its own thresholds for the levels of PCI DSS compliance. But generally speaking, the goal is to meet the criteria of all of them.
- Map the flow of cardholder data – including applications, systems, and people who work with credit card data. All credit payment platforms and storage systems that hold card data must be included. This is usually done with the assistance of IT and R&D departments.
- Fill out the Self-Assessment Questionnaire (SAQ) – the SAQ is a tool used to validate PCI compliance, which checks if a business meets each of the 12 requirements listed above. Businesses must meet all the requirements to be compliant. PCI Level 1 businesses need a PCI-approved auditor to validate their compliance.
- Fill out the Attestation of Compliance (AOC) – this document differs according to the PCI compliance level of a business. AOC ensures every PCI compliance step is fulfilled.
- Conduct a vulnerability scan – businesses use approved scanning vendors (ASVs) to scan for security vulnerabilities and make sure they meet all standards.
- Submit documents – including AOC, SAQ, and ASV reports to banks, credit card companies, etc.
- Monitoring — the business, the infrastructure, and the data may change with each security scan. Therefore, it is necessary to monitor compliance on an ongoing basis throughout the year. There should be a security team responsible for monitoring and responding to vulnerabilities and threats.
Be sure your payments are secure
It’s important to work with providers that follow PCI compliance. When you work with a tool like Melio to make payments, you can trust that your sensitive information remains secure, keeping the payment experience stress-free.