How to Automate Your PCI Compliance

February 13, 2019 · 5 min read

How to Automate Your PCI Compliance

You’ve spent years building your company and your customers’ trust in it. And you know one of the biggest threats to that trust is lax data security.

At this point, it’s easier to list big companies that haven’t had a data breach than ones that have — T-Mobile, Facebook, Marriott Starwood, Target…the list goes on. Every time this happens, customers lose money and a business’s brand is damaged, sometimes irreparably.

The question is obvious: How do I avoid becoming next? Tackling your online security can seem insurmountable and overwhelming, and you might not have any idea where to start.

The goal: PCI Compliance

The Payment Card Industry Data Security Standard is the baseline for billing security. Those firms meeting its standards are PCI compliant. If you accept debit or credit card payments, you have to be PCI compliant.

Let’s take a moment to go over the process. Start with assessing your current systems, practices, and software to see both where you’re at and what needs work.

Levels of certification

To get started, you need to determine the level of certification you’ll be aiming for. There are four levels of merchant compliance you can fall under. Here’s a very top-level overview of them:

  • Level 1: Six million or more transactions annually
  • Level 2: Between one and six million transactions annually
  • Level 3: Between 20,000 and one million transactions annually
  • Level 4: Less than 20,000 transactions annually

However, it’s not quite as straightforward as that. Each of the major card issuers (Visa, Mastercard, Discover, American Express, and JCB) maintains their own table of merchant levels, with slight differences between them. Discover, Visa, and Mastercard all have mostly the same requirements, with a few small differences, while JCB and American Express have their own versions.

Usually, if you’re at a certain level with one provider, you’re at the same across all providers, but there are a few exceptions. To read more about the exceptions and see the level tables for all of the card issuers, head here.

On top of all of that, the exact technical details of the standards are regularly updated to keep consumers safe from new threats.

Whew. That’s a lot, but you’re not done yet…

Next up: Self-assessment time

Next, you’ll want to head here and download the “Understanding SAQs for PCI DSS” document. That will tell you which of the 9 Self Assessment Questionnaires (SAQs) to download. After you’ve downloaded the right SAQ for your business, you’ll go through about 10-12 questions, and answer “yes,” “no,” or “n/a” for each one.

When you’ve completed that step, you can move on to addressing any gaps in compliance. After you’ve closed all gaps, you can download a Formal Attestation of Compliance (also called an “AOC”), and prepare it along with your SAQ. You’ll then file these with your billing partner, along with any other paperwork they request.

It’s also worth noting that SAQs are only valid for level 2-4 merchants. Level 1 merchants have much higher requirements, including a yearly audit done by a third party company — no self-assessment allowed.

PCI Compliance is the beginning, not the end

While being PCI compliant is necessary, it’s also the bare minimum of security. Home Depot and Target were both PCI compliant when they experienced data breaches. After you’re PCI compliant, you should still be doing the following:

  • Making sure your payment processor avoids storing cardholder data at any point
  • Performing regular security audits and staying abreast of changing standards to make sure you’re up to date
  • And of course, making sure you’re doing the other basics of good security (unique usernames and passwords, having an SSL certificate, training your team on how to recognize social engineering attacks)

Don’t work hard on your PCI compliance, only to have customer data compromised in another, avoidable way.

Making compliance easier

It’s possible you’re even more overwhelmed now than when you started. The good news is that there’s a shortcut: using a payment processor that’s already done the work of being PCI compliant for you. If you’re using a subscription billing tool that has a secure checkout page and uses data tokenization, you can save a lot of time on PCI compliance.

For example, Rebilly accepts the cardholder data sent through the shopper’s browser and then creates a unique token to send to the selling company. This allows our customers to keep basic customer data on file, without having credit card numbers accessible for hackers to steal.

When working with a company like Rebilly, you’ll still have to fill out an SAQ — but that’s all you’ll have to do. Find out which SAQ you’d have to fill out to reach the various levels of compliance by heading here.

Whichever subscription billing management tool you wind up using, security shouldn’t be the only thing you look at. Make smart subscription billing decisions without the stress by downloading our free report that covers security must-haves and has a bonus three-page feature checklist. Get it below:

Six Must-Haves

Enter your email below to receive the Six Must-Haves download and subscribe to Rebilly updates: