Small Business and PCI Cost vs. Benefit
Date published:
Jan 29, 2022
Many small business owners wonder why they would ever need to comply with a security standard like the PCI DSS. Some wonder quietly and some more vocally. Either way, it’s an important question to address, because every small business owner who accepts even a single credit card for payment should understand their role in the security of that information.
Taking one single credit card transaction is like someone handing you the keys to their safe, where they keep their money, and asking you to carefully take out just the amount you are owed. If you don’t handle those keys safely and a bad guy copies the keys and wipes out the safe, then whose fault is it?
In other words: Should a business accepting “a few credit cards here and there” pay fines and penalties after a breach, since they opted to use a risky system without understanding that it needed to be secure?
The cost/benefit ratio can change in an instant.
Let’s assume your business processes about 100 credit/debit card transactions per year and you’ve determined that the cost to comply outweighs the benefit to you, your bank, and even your customers as a whole.
Should a breach occur, are you prepared to experience a rapid turn of events?
In my example above, your business has processed 100 cards in a year’s time. In that time, your business has not followed the basic security steps of the PCI DSS, nor has it validated its compliance with the standard. A data thief locates one of your security weaknesses and steals the data from all 100 cards. (A common misconception is that hackers don’t target small businesses. I’ll explain further down why this is not the case.)
Just like that, the cost/benefit ratio changes:
- The card issuing banks are out hundreds of thousands of dollars for the fraudulent charges they have to pay back to consumers.
- Your business has to pay for a forensics investigation to determine how the breach occurred and exactly how many credit cards were compromised.
- Visa fines your acquiring bank thousands of dollars. The bank passes those fines down to you and adds a few of their own.
- Your business has to suddenly invest time and money in new, secure technology and processes.
- A significant portion of the 100 customers with stolen data take their business elsewhere, because they’ve had to deal with the trouble of disputing fraudulent charges and getting new cards.
It’s all in the “how,” not the “how many.”
The costs associated with PCI compliance are not based on the number of cards you process, but rather the way in which you process the cards you accept. This is because for the most part, the processing method you use is relative to both the risk and the burden of PCI.
For businesses that have low volume, the “how” of processing credit/debit cards should look something like this:
- Businesses that only process a few transactions here and there should be using the easiest, simplest method (e.g. Square, where there is an aggregator who takes on much of the PCI burden).
- Businesses that have enough volume to warrant paying for a dial-up terminal just need to practice some basic security and answer the 41 questions within SAQ B.
The methods described above are relatively low risk and low burden. Where it gets out of whack is when a business takes just a few payment card transactions, but then uses a full blown POS system on one PC that also has wide open access to the internet. In this scenario, the risk is much higher and the PCI burden is also much higher, requiring a properly configured firewall, tracking of third party service providers, quarterly vulnerability scanning, answering at least 139 questions within an SAQ C, etc.
When it comes to vulnerable businesses, hackers also focus on the “how” of payment processing rather than the number of cards being processed. That’s because the technologies they employ make it just as easy for them to break into thousands of unprotected small businesses as it is to break into one large business processing many transactions.
The bottom line is this: If your business is set up to accept customer payment via credit card then your business is obligated to achieving and maintaining compliance with the PCI Data Security Standard.
Want to learn more about how the PCI DSS applies to your business?
Contact Us. We'd be happy to help.