PCI compliance is the single most important thing that small businesses can do to maximise the security of all their card transactions. The so-called Payment Card Industry Data Security Standard (PCI DSS) was established to help businesses reduce fraud and process card payments securely.
The way PCI compliance works is that it sets certain requirements for the storage, transmission and processing of cardholder data. This includes different steps involving the people, policies and technologies your business uses to process payments.
To set it up, you can either pay to get the help of a PCI SSC-Qualified Security Assessor (QSA), pick a payment provider who’s doing the work for you, or go through the application steps yourself.
If you do it yourself, you should first find out which compliance “level” your business is categorised as. Check your acquirer bank, payment provider and/or card brands about their level categorisations, as these tend to vary between them. You then need to fill in the appropriate Self-Assessment Questionnaire (SAQ) and Attestation of Compliance (AOC) documents afterwards, and submit these to the relevant acquirers, card brands or payment providers.
It requires a lot of paperwork and documentation from your end, but if you choose a PCI DSS-certified payment provider, perhaps you don’t need to go through any of this yourself. Whichever virtual terminal provider you choose, you can ask them what you should do to be compliant and take it from there.