With the growing list of compliance requirements a small business faces accepting online payments and in-store payments, it's important to make sure you have covered all the bases. You don't want to get hit with fines or penalties or even have your ability to accept credit cards taken away from you. And, above all else, you don't want to put your customers and their sensitive information at risk at any point in doing business with you.
If you are fortunate enough to have expanded your business to multiple locations, you may wonder if you have to validate your PCI compliance for each location. It's a valid concern, even if you think you have standardized your operations to ensure your employees and processes at each location are all on the same page.
What is PCI Compliance Validation?
PCI validation ensures you are following all the compliance requirements for your business. That means that you have put the equipment and processes in place that are designed to protect cardholder data that is involved in transactions you process in-store and online. This means you are using a secure card processing network with the necessary firewalls and regular updates to passwords and security settings. You are also deploying encryption when data is transmitted and have protected your systems against malware. Your access control measures also limit employees’ access to data and restrict physical access to areas where any information might be stored.
Part of getting validated for your PCI compliance is to monitor, track, and test your security systems so these can be verified as secure. You also want to maintain an information security policy for your business that everyone at each location you operate has a copy of and understands how to apply it.
Since you fall under one of four merchant levels, depending on the number of credit card transactions you process, some of the requirements for PCI compliance validation will differ from business to business. However, any business that accepts credit or debit card payments has to be PCI compliant.
A Range of Approaches to PCI Compliance Validation
Just be aware that payment processing companies and merchant service providers take different approaches to how they help you meet the required PCI compliance validation for your business and any other locations. For example, some payment processors require that all businesses validate their PCI compliance and offer PCI support programs to help them reach that status. However, many of these PCI support programs come with a fee. And, when you haven't validated, you may also get hit with a fee.
Other payment processors leave compliance validation up to the merchant service providers. While you become more accountable for the compliance process, it does let you select your own scanning vendors, consultants and qualified security assessors, all of whom have their own fee structures and experience levels. This lets you find a PCI validation program that fits your needs, business size, and budget.
Merchant service providers that provide their own mandatory PCI validation service do charge for this service. Those that allow businesses to handle their own PCI validation then focus on making validation relative to how it processes credit cards for those customers. Then there are those merchant service providers that don't even check if you have taken care of this validation responsibility.
Annual and Quarterly Requirements for PCI Compliance
If each business location you operate works the same Tax ID, primary location address, and IP addresses, then you only need to validate your PCI compliance once per year for all locations.
On a quarterly basis, you also need to pass network scans that should be conducted by a PCI SSC Approved Scanning Vendor (ASV). The quarterly scans will need to be done at each location to verify that everything is being conducted in a standardized way. A vulnerability scan is an automated test that assesses your network and Web applications from the Internet (on the external-facing IPs) and identifies any vulnerabilities that can potentially put cardholder data in danger. Once you are cleared of any vulnerabilities, your PCI compliance is validated.
Stay Vigilant with Payment Processor Support
The payment processing company you use for all your locations can do more than just supply you with equipment and payment processing service. They can also be an invaluable source of information and updates about compliance, including providing you with all the tools necessary to remain PCI compliant while you process credit cards and debit cards.