Top 5 PCI and Salesforce Compliance Questions.
Protect your organization and your customers’ data.
The average cost of a US data breach in 2022 was $9.44M according to an IBM Security report. Could your organization weather the financial and reputational burden of a breach? What safeguards do you have in place to prevent a disaster of this scope from impacting your company (and your customers)? Whether your customer base is 100% virtual or point of sale, PCI compliance is critical.
Your CRM system can play a huge part in reducing your PCI scope. To help you stay ahead of the curve in keeping your customer credit card information secure, we have answered the top five questions that business leaders ask about PCI and Salesforce.
Question 1: Why does my organization need to be PCI compliant?
You should be PCI compliant because it protects your organization and your customers’ data. The (in)famous 2013 Target data breach cost them nearly $300 million, including fines, legal settlements, and reputational damage to an otherwise beloved brand..
Additionally, your company can face fines from card issuers if you are out of compliance with PCI DSS requirements. Not to mention, the Consumer Financial Protection Bureau (CFPB) has increased enforcement of the Consumer Financial Protection Act for companies that fail to adequately protect data security.
Question 2: Is Salesforce PCI compliant?
Yes. Salesforce is PCI certified and maintains an updated list of cloud certifications on its Trust site. You can visit compliance.salesforce.com for the latest PCI compliance status.
Question 3: How does my organization become PCI certified?
Your organization must complete the PCI DSS assessment and submit your assessment to the PCI security standards council. The PCI DSS provides a detailed, 12 requirements structure for securing cardholder data that is stored, processed, and/ or transmitted by merchants and other organizations, namely ensuring a secure network, building security controls, and implementing measures to manage data vulnerability. The board will review your assessment and determine if your company’s data security process meets its standards. The certification process is quite detailed.
Question 4: What are the levels of PCI certification?
You may have heard someone refer to their business as “PCI-DSS level 1 compliant.” There are 4 levels, based on the number of card transactions your organization processes each year.
Level 4: An organization that takes between 1 and 20,000 card transactions per year
Level 3: Between 20,000 and 1 million transactions per year
Level 2: 1 to 6 million transactions per year
Level 1: over 6 million transactions per year
Question 5: Which attestation form — or SAQ — should Salesforce customers use?
Your PCI level ties to the type of attestations you can use to have your compliance certified. If you are processing payments solely from Salesforce, and process fewer than 20,000 card transactions each year, then it is likely that an SAQ-C is a safe bet. If you want to achieve PCI compliance, the best thing to do is seek the advice of a qualified security assessor or QSA who can give you their professional opinion.
Bonus: The PCI Compliance Golden Rule
The best rule of thumb is: “Hear no card, See no card, Touch no card.” In other words, making it simple for the customer to enter their own card information works in everyone’s favor. Use this golden rule as your overarching strategy to minimize your company’s PCI burden.
If your organization accepts credit cards as a form of payment, you will always have some level of PCI compliance burden. While the appropriate use of Salesforce and Chargent offers a key foundation for achieving PCI compliance, ultimately your organization is responsible for data security and handling credit card data that you collect – and if you don’t get it right, the risk of damaging your brand and incurring significant financial penalties is high.
Taking payments directly in Salesforce with Chargent helps reduce your PCI scope, with secure tokenization through 30+ payment gateway integrations, and self-service payment options that make it easier to live by the golden rule. Want to see how it works? Install our 30-day free trial to experience how Chargent can make your payments safer and more compliant.
Additional Helpful Resources
Whether you’re ready to implement new AR software today, or are not quite yet ready to make the investment, below are resources that can help you decide the next steps to take. When the time comes, you’ll enjoy increased revenue, improved operational efficiencies and can reduce your PCI scope.