Hello and welcome to the CPACharge blog! Here you’ll find accounting industry insights and educational resources on topics like payment processing, financial technology, CPA firm security, and more. As the experts in payment processing for CPA firms, we aim to make the CPACharge blog your go-to resource for getting paid and staying up to date on industry trends.
With the seemingly endless stream of data breaches we hear about on the news, it’s more important than ever for businesses to do all they can to protect their customers’ data—and that includes payment data. If you accept credit and debit payments, you’ve probably heard the phrase “PCI compliance,” but if you have lingering questions about what it is and what it requires of your firm, this post is designed to help.
We’ll provide an overview of PCI compliance, including why it was created and how your firm can stay compliant throughout each year.
What is PCI compliance?
Regardless of your industry, if your company accepts, processes, stores, or transmits credit card data, you must be compliant with the standards mandated by the Payment Card Industry Security Standards Council (PCI SSC). Founded and governed by major credit card brands—namely Visa, Mastercard, Discover, JCB International, and American Express—the council’s mission is to monitor and address ongoing security issues presented by the use of credit, debit, and prepaid cards. To become compliant, businesses accepting card payments must meet the requirements of the card brands they accept.
While PCI compliance isn’t required by law, it’s a vital practice for keeping cardholder data, as well as your firm, as safe as possible from cybersecurity attacks. By following PCI standards, you can equip your firm with the most up-to-date practices in data security and test their effectiveness on an annual basis. Staying compliant can also help you avoid potential penalties from your acquiring bank or payment processor who may charge you fines if they find you aren’t compliant.
PCI compliance levels
The major credit card brands have at least four different levels of compliance that businesses can fall under, depending on the volume of transactions they process each year. CPA firms that accept card payments typically fall under the lowest level, processing less than 1 million to as low as 20,000 transactions per year. The general requirement for most businesses at this level is to complete a Self-Assessment Questionnaire (SAQ).
Businesses that strictly use online payment processors have the easiest SAQ to complete. It consists of about 22 questions and can often be completed within 15 minutes. The best online payment processors will even walk you through each step of the compliance process to ensure your SAQ is completed quickly and correctly every year.
PCI Data Security Standards
The PCI council created the PCI Data Security Standard (PCI DSS) to give merchants a baseline for developing secure practices. Below we’ve listed the six goals outlined by the council, and we’ve summarized the practices you can adopt in your firm to become PCI compliant.
By implementing these security measures and staying current on your annual questionnaire, you’re taking appropriate steps to ensure your firm’s payment data is safe and secure.
To learn more about how you can run a secure, PCI-compliant firm, download our free e-book, “Building a Secure Practice: A Guide for CPAs.”