photo of Caleb Avery

PCI Compliance 101

Let’s talk about everyone’s favorite topic: PCI compliance.

If you’re truly interested in learning about PCI compliance (although we’re not sure why you would be) you can check out the Official PCI Security Standards Council website here. If you’re like most people though, trust us when we say that your only real concern should be how to minimize your compliance burden and avoid dealing with it at all costs. 

PCI, for those who don’t know — A.K.A. everyone who isn’t a payments nerd — stands for Payment Card Industry (simple enough, right?) The PCI Council oversees the Payment Card Industry Data Security Standard, or PCI DSS for short. The Council is made up of representatives from the major credit card brands (Visa, Mastercard, American Express and Discover) as well as JCB, a major debit card provider. They are considered an independent body (in the sense that they aren’t appointed or regulated by the government), and they set the rules, requirements, and regulations for what constitutes PCI compliance and what companies need to have in place in order to be compliant at various levels.

Most of it comes down to how you as a company process, store, and transmit sensitive data like credit card details through your system — be it a virtual terminal, a physical one, or a website. The bottom line: Any merchant or company that accepts credit cards has to be PCI compliant at some level. 

Becoming PCI Compliant

For most businesses, it’s reasonably straightforward. The vast majority maintain their compliance through a Self-Assessment Questionnaire (SAQ) that can be completed online by answering anywhere from 25-100 simple questions. This applies mainly to businesses who accept credit cards for payment, but don’t store, process, or transmit any of the credit card information or data along the way. While there are several different versions of the SAQ that become larger and more strict depending on how much a business is involved in processing card data, for most merchants, as long as you’re not writing down credit card numbers on post-its and leaving them around your store or restaurant (please, please, don’t do that), you’ll be able to satisfy the requirements of your SAQ quickly and move on.

But, as a software company that’s building integrated payments into your products, what do you have to worry about in order to be PCI compliant? Like most things when it comes to payment processing, there’s a few different options.

With a managed PayFac provider like Stripe, they manage your PCI compliance for you. When integrating with Stripe, Square, or Braintree, they offer you a small piece of javascript (.js) code that developers place on your website or software. This code allows customers to enter their credit card data on a payments form that appears on your website, but in reality is hosted by the managed PayFac’s network. You as the software company, and your website, never touch the sensitive details.

While the options for where to place the piece of code as well as its branding are limited, it allows you to accept payments through your software without having to worry about safeguarding the information yourself. Instead, Stripe stores it on their system, and sends your software an encrypted token anytime you need to process a transaction. This minimizes your PCI compliance scope so that you only need to fill out an SAQ once a year — with the same simple requirements for your merchants. 

However, as your business grows and you process more transactions each year, you may no longer qualify to use the SAQ. For many companies, when they get to this point they may start to consider becoming their own PayFac through PayFac-in-a-Box options. Once you become your own PayFac though, PCI obligations often become even more complicated, and you likely will have to become Level 1 PCI DSS certified. 

In layman’s terms, that means your company will have to go through a time-consuming and expensive process, including documenting all your system’s structure and protections you have in place as well as an audit. During the audit, an onsite auditor will come to your business, look through your code, examine your security processes, and determine if you have appropriate checks and balances in your development. 

None. Of. This. Is. Free. 

In fact, audits can cost as much as $30,000 on average, and they must be completed each year, as well as any time you make changes to how you process credit cards. That doesn’t include additional costs for consultants to help you through the process, network scans, as well as the time and energy of your team. It can easily become a $50,000-$100,000 line item to maintain PCI Level 1 certification each year. 

PCI Compliance Made Easy 

We should know, because at Tilled we are PCI Level 1 Certified. And as a true partner for your payments processing, we’re always willing to transfer your credit card data to another Level 1 Certified Vault should you decide to switch to another processor or build one out yourself. 

We’ll also never nickel and dime you over PCI compliance. While other processors love charging monthly fees to cover PCI compliance, as well as “gotcha” fees if you don’t fill out your SAQ on time (which they’ll never remind you to do), we don’t charge monthly PCI fees and will never play games about PCI compliance. Not only will we happily remind you each year what you need to do to remain PCI compliant, we’ll help you if you have any questions or concerns about your SAQ.

So, stop worrying about PCI compliance and let Tilled take care of the red tape.

Learn more about Tilled today!

More articles.

Bugs and Love Bugs

A Tale of Quality at Tilled From Butch Mayhew, Head of Quality and Reliability at Tilled One of my main responsibilities at Tilled is to create a strategy for how we deliver high-quality software at Tilled. This all starts with defining what quality is. When you think about quality within a product, how would you […]

Read More

Monetizing Payments for SaaS Platforms: How Does Payment Processing Work?

We’re breaking down how money is actually made through payment processing.  What happens when a card is charged? In episode three of the nine-part video series, James offers a behind-the-scenes look at payment processing, using his self-storage management software, CCStorage, as a real-world example. Check out the entire episode at the video link below, or […]

Read More

Monetizing Payments for SaaS Platforms: Demystifying Payment Processing Terminology

Being “in the know” with common industry terms can set you up for greater success with integrated payments. Before jumping into the world of integrating payments, stop and think about that age-old piece of advice: don’t run before you can walk. Our nine-part series with James Shepherd on “Monetizing Payments for SaaS Platforms” serves up […]

Read More

An Inside Look into Tilled’s White-Label Capabilities

Make integrated payments feel like an extension of YOUR existing product offering – no heavy lifting from your development team required. What is white-labeling? At Tilled, we define white-labeling as the ability for our partners to customize elements of the Tilled merchant experience with their own company branding, colors, and logos.  Why white-label? Working with […]

Read More