You are here

Do SMBs Need to Be PCI Compliant?

< All Posts


Small-to-medium business (SMB) owners juggle so many hats, that cybercrime is the least of their worries. After all, you don’t get a large volume of sensitive payment card information, do you? With so many bigger fish to catch, which cyber thief is going to bother stealing card data from the smaller fry?

Thus, PCI compliance may not top the list of must haves, right?


It’s easy for SMBs to be lulled into complacency when it comes to PCI compliance. And for that reason, most do.

SMBs: favored targets for cyberattacks

It's precisely this lax attitude toward data security that makes SMBs the most favored targets for data theft. According to Trustwave, 71% of cyberattacks happen to businesses with less than 100 employees.

80% of these companies go out of business within 18 months, due to repercussions from these incidents.

These dire statistics are one of the many reasons why the PCI Council has established PCI-DSS requirements, for any and every merchant that accepts or processes payment cards.

According to the council, SMBs are required to maintain a secure environment according to level 4 stipulations: “Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year.” If doesn’t matter if your business were to process 20,000 credit card payments a year, or just one -- you’ll be held equally as accountable as any large corporation.

The risk of a breach: much higher than you thought

Becoming and staying PCI compliant can seem a confusing and rather daunting process -- another reason why many small merchants prefer to maintain that they don’t need it. Some, assessing the cost-benefit ratio of compliance, will opt to take the risk  -- especially for very low-volume card transactions.

But the risk of a breach is very high, not to mention the expense and repercussions. If you do suffer a data breach, you’re not the only one it will affect:

  • Your acquiring bank will face PCI fines from its card brand. And guess who will pay for it ultimately, along with extra fees? You.

  • You’ll need to hire a forensics investigator to analyze exactly how and what was breached;

  • You'll most likely lose the customers whose card details were stolen

  • You may face litigation from breached customers

  • You'll need to spend time and money trying to regain your reputation: and that will mean becoming PCI compliant

  • You may also have your credit card acceptance suspended

We hope by now you’re realizing that no one can be too cautious. And no matter how many hats you have to wear, this is one that you can't just hang on the rack.

Look for our next blog post, which will provide guidelines on how to become PCI compliant.

10 Apr 2017