When it comes to a growing business, the safety and security of sensitive information and data is likely top of mind — especially when it comes to payments.
New advances in commerce and payments technology are often accompanied by new rules and regulations to help ensure that both businesses and consumers are protected. Enter the Payment Card Industry Data Security Standard (PCI DSS), a standard put forth by the five largest credit card companies to help reduce costly consumer and bank data breaches.
Understanding PCI DSS compliance can feel overwhelming for business decision makers. In this guide we break down the need-to-knows of PCI DSS compliance and walk you through the steps you need to safeguard your business and your customers.
Here’s what your PCI compliance checklist could look like if you sell with Square:
PCI Compliance Checklist: What You Need to Know in 2023
| # | PCI DSS Compliance Requirement | Comes Free with Square |
| 1 | Install and maintain a firewall configuration to protect cardholder data. | ✓ |
| 2 | Do not use vendor-supplied defaults for system passwords and other security parameters. | ✓ |
| 3 | Protect stored cardholder data. | ✓ |
| 4 | Encrypt transmission of cardholder data across open, public networks. | ✓ |
| 5 | Use and regularly update anti-virus software. | ✓ |
| 6 | Develop and maintain secure systems and applications. | ✓ |
| 7 | Restrict access to cardholder data by business need-to-know. | ✓ |
| 8 | Assign a unique ID to each person with computer access. | ✓ |
| 9 | Restrict physical access to cardholder data. | ✓ |
| 10 | Track and monitor all access to network resources and cardholder data. | ✓ |
| 11 | Regularly test security systems and processes. | ✓ |
| 12 | Maintain a security policy and ensure that all personnel are aware of it. | ✓ |
*This PCI compliance checklist was retrieved on July 2023 and may not be up to date, so be sure you’re compliant by selling with Square or by visiting the PCI Security Standards Council website.
What is PCI DSS compliance?
PCI DSS refers to payment security standards that ensure all sellers accept, store, process, and transmit cardholder data safely and securely during a credit card transaction.
Any merchant with a merchant ID that accepts payment cards must follow PCI-compliance regulations to protect against data breaches. The requirements range from establishing data security policies for your business and employees to removing card data from your processing system and payment terminals.
Cardholder or payment data covers information such as the full primary account number (PAN), the cardholder’s name, the credit card service code, and the expiration date. Sellers are responsible for protecting sensitive authentication data in the magnetic-stripe data (e.g., CAV2, CVC2, CVV2, CID, PINs, PIN blocks, and more).
Organizations that collect, process, store, or transmit payment card transactions must complete and maintain the rigorous processes of verifying PCI compliance. It is important to note that entities involved with payment card transactions must never store sensitive authentication data after authorization. This includes the three- or four-digit security code printed on the front or back of a card; the data stored on a card’s magnetic stripe or chip (also called “full track data”); or the personal identification number (PIN) entered by the cardholder.
What do PCI-compliance requirements mean for your business?
If you’re using multiple independent providers to service your payment life cycle (this could include different providers for your physical or virtual terminal, POS software, payment processor, and acquiring bank), then you’re likely sending and storing your customers’ data between these different providers. As such, you’re probably responsible for self-validating and maintaining your business’s PCI compliance.
Why are you responsible? Each time you pass data between one of these providers, PCI-compliance standards say that you, as the seller, must ensure that each step in this life cycle is encrypted and that data is protected — encoded in a way that only authorized parties can read. To be sure that each step is protected, the PCI Council distributes a self-assessment questionnaire, which is a checklist of requirements that you’re responsible for fulfilling, depending on your business’s transaction volume.
PCI compliance checklists: Who needs one?
For non-Square sellers, the liability to validate and maintain PCI compliance typically falls directly on your shoulders. So it’s wise to check with your acquiring bank to understand if you’re liable and if there are vulnerabilities that could pop up in any part of your card-processing life cycle: places like your physical terminal, your POS software, or cardholder data transmission to service providers. The systems operated by your service providers — also known as the banks that service your merchant account — could also put you at risk for noncompliance and data breaches.
If you’re responsible for validating your PCI compliance, you must first determine the level at which you need to be compliant (here’s a helpful guide), then take the necessary steps recommended for your business type. Depending on your annual transaction volume, the requirements for businesses to maintain PCI compliance could include some or all of the following steps:
-
Hiring an approved scanning vendor (ASV) that might perform network and system scans
-
Completing an annual self-assessment questionnaire (SAQ) or checklist; this is a tool used to report the results of your PCI DSS self-assessment and validate your standing
-
Hiring a qualified security assessment vendor (QSA), which is essentially a digital security firm qualified to perform PCI DSS assessments at your business
Take PCI compliance off your plate with Square.
Is your head spinning yet? You could read this 40-page guide, complete an exhaustive PCI self-assessment, and/or pay a third-party consultant (like the ones listed above) a lot of money to ensure you’re up to date on PCI-compliance standards. Or you could use Square, which requires no filing, no paperwork, and no additional cost.
If you use Square for all storage, processing, and transmission of your customers’ card data, you won’t need to take any steps to become PCI compliant and you won’t need to pay any PCI-compliance fees—so you can toss your PCI compliance checklist once and for all.
Square users aren’t required to self-validate their PCI compliance, or need to worry if they’re meeting checklists for PCI compliance. That’s because our hardware, software, and processing methods are encrypted, tokenized, and PCI-compliant from end to end.
Square’s card-processing systems adhere to the PCI DSS to alleviate these vulnerabilities and protect cardholder data on your behalf — so you don’t have to worry about hiring costly consultants or conducting exhaustive reviews of your payments hardware and software.
And since Square is the merchant of record for every transaction, we deal with the banks on your behalf and take care of the PCI-compliance checklists, regulations and processing for you so that you can focus on running your business. We’ll advocate and work in good faith to resolve any disputes related to a transaction.
Best of all, we provide PCI-compliant hardware and software at no additional cost to you. We never charge extra monthly fees or force you to complete checklists to demonstrate PCI compliance. We do it all free on your behalf.
Learn more about privacy and security at Square and check out this article about best merchant practices for accepting credit cards.
Square takes care of PCI compliance for your business
Square complies with the PCI DSS so you do not need to validate your state of compliance individually.
- Our hardware and readers have end-to-end encryption out of the box, with no configuration required and at no additional cost, without monthly fees or annual assessment requirements. We maintain PCI-compliant software at no additional cost to you, with no monthly contracts or long-term commitments. Provided you use Square for all storage, processing, and transmission of your customers’ card data, you don’t need to take any steps to validate your PCI compliance to Square, and you don’t need to pay any PCI-compliance fees.
- Square is the merchant of record for every transaction. We deal with the banks on your behalf, including for PCI compliance, regulation, and processing. We advocate on your behalf to make sure that simple errors, honest mistakes, and disputes are resolved equitably.
- Square takes a technical approach to security that is designed to protect you and your customers. We adhere to industry-leading PCI standards to manage our network, to secure our web and client applications, and to set policies across our organization. The Square integrated payment system provides end-to-end encryption for every transaction at the point of swipe, dip, or tap and tokenizes data once it reaches our servers. Plus, we monitor every transaction from acceptance to payment, innovate in fraud prevention continuously, and protect your data like our business depends on it.
In addition to PCI Compliance, Square is also SOC 1, 2, and ISO27001 compliant.