Security and Compliance

What CPAs Need to Know About PCI Compliance

John Lehman
May 4, 2018

With the seemingly endless stream of data breaches we hear about on the news, it’s more important than ever for businesses to do all they can to protect their customers’ data—and that includes payment data. If you accept credit and debit payments, you’ve probably heard the phrase “PCI compliance,” but if you have lingering questions about what it is and what it requires of your firm, this post is designed to help.

We’ll provide an overview of PCI compliance, including why it was created and how your firm can stay compliant throughout each year.

What is PCI Compliance?

Regardless of your industry, if your company accepts, processes, stores, or transmits credit card data, you must be compliant with the standards mandated by the Payment Card Industry Security Standards Council (PCI SSC). Founded and governed by major credit card brands—namely Visa, Mastercard, Discover, JCB International, and American Express—the council’s mission is to monitor and address ongoing security issues presented by the use of credit, debit, and prepaid cards. To become compliant, businesses accepting card payments must meet the requirements of the card brands they accept.

While PCI compliance isn’t required by law, it’s a vital practice for keeping cardholder data, as well as your firm, as safe as possible from cybersecurity attacks. By following PCI standards, you can equip your firm with the most up-to-date practices in data security and test their effectiveness on an annual basis. Staying compliant can also help you avoid potential penalties from your acquiring bank or payment processor who may charge you fines if they find you aren’t compliant.

PCI Compliance Levels

The major credit card brands have at least four different levels of compliance that businesses can fall under, depending on the volume of transactions they process each year. CPA firms that accept card payments typically fall under the lowest level, processing less than 1 million to as low as 20,000 transactions per year. The general requirement for most businesses at this level is to complete a Self-Assessment Questionnaire (SAQ).

Businesses that strictly use online payment processors have the easiest SAQ to complete. It consists of about 22 questions and can often be completed within 15 minutes. The best online payment processors will even walk you through each step of the compliance process to ensure your SAQ is completed quickly and correctly every year.

PCI Data Security Standards

The PCI council created the PCI Data Security Standard (PCI DSS) to give merchants a baseline for developing secure practices. Below we’ve listed the six goals outlined by the council, and we’ve summarized the practices you can adopt in your firm to become PCI compliant.

  • Build and maintain a secure network: Ensure that your systems have firewalls installed and regularly updated. Generate a strong password for your network—never use the default password provided by your network.
  • Protect cardholder data no matter what: Use an online payment processor who will encrypt and protect your clients’ sensitive card data for you. If you do have cardholder data stored on computers, be sure to enable whole drive encryption.
  • Maintain a vulnerability management program: Keep your antivirus and anti-malware program running and up-to-date. Watch for notifications on your machine about system updates and install them as soon as possible, or enable auto-updating features.
  • Implement strong access-control measures: Create unique log-in accounts for each employee and ensure they only have access to what they need to complete their tasks. Any physical card data in your office should be protected in a locked cabinet or safe.
  • Regularly monitor and test networks: Test your cybersecurity measures regularly by trying to access sensitive data on your systems and making sure users who shouldn’t be able to access it can’t.
  • Maintain an information security policy: Draft a security policy that outlines how your business uses technology and handles sensitive data. Go over your security standards with each member of your team and anyone you do business with.

By implementing these security measures and staying current on your annual questionnaire, you’re taking appropriate steps to ensure your firm’s payment data is safe and secure.

To learn more about how you can run a secure, PCI-compliant firm, download our free e-book, “Building a Secure Practice: A Guide for CPAs.”