The Ultimate POS Compliance Guide (+ PCI DSS Compliance Standards)

POS compliance guidelines ensure secure payment processing for merchants, ultimately protecting end customers’ data. If you accept payments through a POS system, a basic understanding of POS compliance (aka the PCI DSS standard) is your ticket to avoiding lost customer trust and non-compliance fees.

Using my background in accounting, I'll walk you through the ins and outs of POS compliance—covering everything from understanding PCI DSS requirements to implementing best practices for maintaining compliance.

In this guide, we'll explore key topics, including the basics of POS compliance, PCI DSS requirements, how to become PCI DSS compliant, and other strategies to maintain compliance. By the end, you’ll have a clear understanding of how to navigate and uphold POS compliance effectively.

What Is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of guidelines you need to follow if you collect, process, transmit, or store credit and debit card data.

Suppose you’re an ecommerce store. When a customer pays you through their debit or credit card, your system collects and processes this sensitive information to receive the payment —  therein lies the problem.

There’s always the risk that someone — such an employee with access permissions — uses the customers’ credit card information to steal money or sell it to cybercriminals. PCI compliance ensures that cardholder data is safe by protecting your business against security breaches.

When a cardholder is defrauded, they lose trust in your business and the financial institution that issued the card. That’s exactly why AMEX, MasterCard, Visa, JCB, and Discover decided to set up the PCI Security Standards Council (PCI SSC), the institution that administers PCI and related security standards.

Does My Business Need to be PCI Compliant?

Yes. Every business that accepts debit or credit card payments or processes, transmits, or stores card data must be PCI-compliant, regardless of other factors.

PCI compliance is necessary even if you only have one debit or credit card transaction. You’ll need to complete a Self-Assessment Questionnaire (SAQ) annually and get audited quarterly to be PCI-compliant. 

The specific SAQ you need to complete depends on the compliance level you fall into (more on that in the next section).

Join our Newsletter

Join North America’s most innovative collective of Tech CFOs.

Your email*

By submitting this form, you agree to receive our newsletter, and occasional emails related to The CFO Club. You can unsubscribe at any time. For more details, please review our Privacy Policy. We're protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Name

This field is for validation purposes and should be left unchanged.

How Can I Become PCI Compliant?

There are various steps you need to follow to ensure you’re following the right PCI guidelines when accepting card payments via POS terminals or an ecommerce website:

1. Determine Your PCI Level

PCI guidelines classify businesses into four levels, primarily based on number of transactions:

• Level 1: Merchants processing more than six million Visa or MasterCard transactions annually, or businesses that have suffered a data breach.
• Level 2: Merchants processing more than one million and less than six million Visa or MasterCard transactions annually.
• Level 3: Merchants processing more than 20 thousand and less than one million Visa or MasterCard ecommerce transactions annually.
• Level 4: Everyone else.

2. Learn About PCI DSS Requirements

Some PCI DSS requirements are applicable to everyone, and some depend on your PCI level. Here are some of the most common ones:

• Annual SAQ: Level 2, 3, and 4 businesses are required to submit SAQ annually. The specific SAQ that you need to submit depends on your specific level and business model.
• Attestation of Compliance (AOC): AOC is a formal declaration stating that you’ve successfully met all PCI compliance requirements. Businesses at all levels must submit the AOC annually to stay compliant.
• Quarterly Network Scan: Quarterly scans by an Approved Scanning Vendor (ASV) are required for level 1, 2, and 3 businesses. If a level 4 merchant has external-facing IP addresses (because their systems are connected to the internet and they store, process, or transmit cardholder data), they also require quarterly scans.

Here are some examples of level-specific requirements:

• Assessment Requirements: Level 1 assessments are more intensive and involve an on-site audit by a Qualified Security Assessor (QSA). During the audit, the QSA may assess and review the controls, policies, and procedures put in place to ensure security. Levels 2, 3, and 4 have the freedom to conduct self-assessments using the relevant SAQs.
• Penetration Testing Requirements: Level 1 merchants are required to conduct annual internal and external penetration tests. Other levels aren’t required to conduct them, but it’s strongly recommended they do so to improve security.
• Documentation and Evidence Collection: Level 1 businesses require extensive documentation, evidence collection, and validation by a QSA. Other levels still require documentation and evidence, but the process is far less rigorous and generally handled internally.

3. Fulfill PCI DSS Requirements

There are various steps you might have to take to comply with PCI guidelines based on your current infrastructure and PCI level. Here’s a quick overview:

• Complete a Self-Assessment Questionnaire (SAQ): The first step is to complete a PCI DSS SAQ, depending on your level and the eligibility criteria mentioned in the SAQ. PCI SSC recommends checking with the payment processor to ensure you’ve chosen the right SAQ. Completing this questionnaire helps you validate compliance with PCI standards. If you process a large volume of transactions, you may need to conduct a third-party audit instead of an SAQ.
• Conduct Your First Vulnerability Scans: Merchants are required to partner with an ASV to conduct quarterly (internal and external) vulnerability scans. If the ASV finds vulnerabilities, you’ll need to fix them.
• Conduct Your First Annual Penetration Test: Every year, you need to run a manual penetration test to learn about ways that an adversary could break into your systems and access information. The test also helps confirm that controls required by PCI DSS, such as scope, vulnerability management, methodology, and segmentation are in place.
• Address Vulnerabilities: Vulnerabilities found during testing require immediate attention. If you’ve already achieved PCI compliance before accepting card payments, and there’s a data breach, you could end up paying a penalty. Seeking help from a professional and PCI DSS to address vulnerabilities could be a smart move.
• Get Audited: Large merchants need to get audited by a third party instead of submitting an SAQ. Start the audit only once you’ve internally assessed and are confident that you’re compliant.

Remember: You’ll need to take various measures to fulfill these requirements. For example, to pass the vulnerability scan and penetration tests, you’ll need to install firewalls and antivirus software to create a secure network, encrypt cardholder data, and implement access control measures.

Check out the PCI DSS Reference Guide to learn more about how you can fulfill PCI DSS requirements.

4. Submit Required Documents

The entire process and steps you’ve taken up to this point must be well documented. The documents to submit include:

• Applicable SAQ
• AOC
• Report on Compliance (ROC)
• Network scan reports
• Penetration testing reports
• Evidence of security controls
• An incident report plan

The Smart Way To Be PCI Compliant

Knowing what goes on behind the scenes is vital, but there’s a more efficient way to achieve compliance than going the manual route. In a word? Delegation.

There are various platforms out there that offer POS hardware, POS apps, payment gateways, and other payment systems required to accept payments securely and stay compliant.

Platforms like Revel Systems, ACID POS, Lightspeed, and Square offer ready-to-use infrastructure that eliminates the hassle of manual compliance procedures. These plug-and-play solutions are a great way to minimize compliance costs and give you the convenience to start using a POS right away.

Our team analyzes POS software constantly, and these are the best systems they’ve found. If you want to go the easy (compliance) route, this is a good place to start looking:

1. 1. Stax Pay — Best for integrating payment management with analytics
2. 2. KORONA POS — Best for advanced inventory tracking
3. 3. Payment Depot — Best for ecommerce, mobile, and physical payment terminals
4. 4. Lavu — Best for iPad-driven restaurant POS systems
5. 5. ePOS — Best for scalability
6. 6. Helcim — Best for small businesses saving on fees
7. 7. Merchant One — Best for direct, low-cost processing
8. 8. Clover — Best for hardware options
9. 9. Square — Most versatile POS software
10. 10. Toast — Best POS software for restaurants with multiple locations

Show More (2)

Cost of PCI Compliance

The exact cost of PCI compliance depends on factors like the size and location of your business, annual transaction volume, and whether you capture and process card-based payments in person or online.

However, there may be company-specific costs as well. For example, you may choose to spend money on training your employees or upgrading to an EMV-enabled POS.

While there’s no single cost estimate for PCI compliance, there are a few generic costs we can estimate. Let's use another example. Generally, the cost of maintaining PCI compliance for small businesses ranges from $300 to $600.

However, the cost of training, policy development, and updating your software and hardware is not included here, and can cost a few thousand dollars depending on your current status. For large enterprises, the cost of remaining in good standing can be significantly higher, ranging from $60,000 to $100,000 per year.

Cost of PCI Non-Compliance

The cost of PCI non-compliance should worry you more than the compliance costs. Fines for non-compliance aren’t published or reported, but are reported to cost between $5,000 and $10,000 per month in penalties until you fix the problem.

That doesn’t even include the cost you’ll have to bear in the case of fraud or data breach. Dealing with fraud or a data breach could include covering financial losses and the cost of expensive litigation, in addition to loss of reputation. Take Target, for example — the company said they had to pay over $200 million when they faced a credit card data breach, including $18.5 million in legal settlement costs.

POS Compliance Is Critical For Reputation Management

Instead of viewing POS compliance as a burden, think of it as an investment toward protecting customer data against hackers and data breaches that can erode your reputation.

PCI compliance can seem complex, but working with the right partner makes the process a lot simpler. Of course, the easiest way to stay compliant is by using ready-to-use solutions that offer compliant POS software and hardware assets.

Want to learn more about running a tech-smart financial function? Subscribe to our free newsletter.