If you’re a campground owner that accepts credit cards as a form of payment, you’ve probably heard about the term PCI compliance. You may have even noticed extra monthly fees on your merchant account statements for not being PCI compliant. So, what exactly is PCI compliance, and why should it matter to you?
To be “PCI compliant” means that you are meeting the minimum security standards for accepting card payments set by the Payment Card Industry Security Standards Council (PCI SSC), which was founded in 2006 by the five largest credit card companies: Visa, MasterCard, Discover, American Express, and JCB. Because there are many risks involved in handling customers’ sensitive credit card information, the standards set by the PCI SSC are intended to help business owners like you reduce this risk and improve the security of customer information.
We see national headlines every year about companies that fall victim to massive cybersecurity breaches, which expose the sensitive information of tens of millions of customers: Adobe and Target in 2013, Equifax in 2017, Capital One in 2019, and the list goes on. Personal data can be stolen from cards readers, paper records, wireless networks, and other areas where transactional data is exchanged. Moreover, a data breach of customer payment information can be severely damaging to a business in a multitude of ways: hefty fines, costly audits and card replacement costs, and a bad reputation among customers.
In 2019, the hospitality industry had the fewest number of organizations achieve PCI compliance.
The requirements to achieve PCI compliance and avoid the crippling effects of a data breach vary depending on the amount of payments a merchant processes annually. There are four different merchant levels, ranging from Level 4 merchants that process less than $20,000 in transactions per year to Level 1 merchants that process over $6 million in transactions per year.
Regardless of which level you meet, the PCI SSC outlines six goals and twelve main requirements for reaching and sustaining PCI compliance as a merchant:
We know there are a lot of requirements to become PCI compliant, and you may be wondering where you should begin this process. The PCI SSC outlines a three-step process on their website:
- Assess: Locate everywhere cardholder data is stored or used, collect inventory of all business processes and technology used to process payments, and assess these items for any vulnerabilities.
- Remediate: Amend any vulnerabilities found and ensure cardholder data is not stored unless required.
- Report: Fill out and submit all required reports to the acquiring bank and any payment card brands used.
Acquiring banks and payment card brands are the bodies who actually enforce compliance with PCI standards — not the PCI SSC itself. This makes it very important for a merchant to check with each of the different payment card brands they accept and use to ensure that the brand’s requirements are being met, since each brand will slightly differ from the next.
Once a status of PCI compliance is achieved, it must also be maintained going forward. Ongoing requirements for merchants can include submitting an Attestation of Compliance (AOC) every year, completing a Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC) every year, and having an SSC Approved Scanning Vendor (ASV) conduct vulnerability scans every quarter.
Fortunately, Campspot’s integrated credit card processors assist with reducing the burden for our partner campgrounds to become PCI compliant.
For more information about our integrated processors, contact our team at email@example.com or 616-226-5500.