How to protect your customers and business from payment card fraud

November 30, 2023 | 4 minute read

Payment card fraud has become a growing concern for merchants, with global losses totaling $32 billion in 2022, according to an estimate by business intelligence firm Nilson.1 While large companies typically have healthy budgets to combat these threats and absorb losses, small businesses often struggle to recover from such attacks.


To reduce the number of costly data breaches, the Payment Card Industry (PCI) Security Standards Council has adopted a set of standards that every merchant that processes card transactions is required to implement and is often called PCI compliance. While the standards include more than 300 individual steps in 12 broad categories, providers of payment processing systems to merchants often include many of these security requirements as functions of their point-of-sale technology or e-commerce software that helps small businesses comply with the standards more easily.


Merchants are required to validate their compliance with the PCI Data Security Standards at least once a year. Firms with more complex payment environments must also run a vulnerability scan each quarter.


Protecting card data

At the heart of the standards are measures to protect the security of card data against a possible breach both during a transaction when the card information is collected and transmitted to the card processor and later when card data may be stored as part of a sales record or for recurring charges.


The main categories for PCI compliance include such things as maintaining firewalls, password security, protection for cardholder data, encrypted transmission of data, antivirus software, restricting access to cardholder data and providing security training to employees.


One of the main benefits of PCI compliance is that it helps protect cardholder information by preventing data breaches that lead to card fraud. Data breaches can seriously damage small businesses, often costing millions of dollars in investigation costs as well as mitigation and cleanup. The 2023 Cost of a Data Breach Report by IBM found that for organizations with up to 1,000 employees, the average price tag for a breach is $3.3 million.2


“While compliance costs are different for every company, they’re nowhere near the cost of a data breach,” says Timothy Thomas, senior product manager at Bank of America, who helps small businesses with PCI compliance.


Small firms can self-assess

Thomas explains that while bigger firms need to bring in qualified security assessors who then file detailed reports, including security scans on the company’s PCI compliance, small merchants can do a self-assessment by filling out a questionnaire that shows that they understand what compliance involves and are taking the necessary security measures.


Small merchants can simplify the PCI compliance process by investing in secure payment point-of-sale hardware, which can augment cyber security while scaling back on PCI requirements, such as having to configure a firewall or conduct a quarterly security scan. “If you use the most secure, up-to-date payment terminals with point-to-point encryption on a segmented network, for example, you dramatically reduce the risk of breach as well as the scope of PCI requirements,” says Thomas.


For most small businesses, the key steps in becoming compliant include visiting the PCI council’s website or contacting their financial institution to perform these tasks:


  • Determine which of the 10 self-assessment questionnaires (SAQ) applies to the business.
  • Download and print the appropriate questionnaire(s).
  • Answer the questions and ensure compliance with each of the requirements.
  • Deliver the completed questionnaire to the appropriate bank.
  • If the SAQ requires a vulnerability scan, contract with an authorized scanning vendor and provide proof of a clean scan quarterly to the bank.


Small businesses that have a merchant account with Bank of America may also take advantage of the PCI Assist Portal to streamline the steps for compliance.


Breaches have costly penalties and fines

Because merchants can be fined for failing to comply with the PCI compliance standards — large organizations can be fined by the major card brands for noncompliance — avoiding penalties is another reason to ensure that your business is PCI compliant. Merchants might also have to pay for costly lawsuits and insurance claims. In addition, small businesses with less than 1 million annual transactions can be required to pay government and payment card fees averaging more than $200,000 after a data breach.3


In addition to avoiding these financial repercussions, PCI compliance helps merchants boost consumer confidence and improve their reputation with customers, acquirers and card brands. When cardholder data is compromised, the reputational damage can limit an organization’s ability to conduct business both in-store and via e-commerce. A poor reputation for security on social media also can affect a merchant’s business materially.4

1 Nilson Report, “Card Fraud Worldwide,” December 2022.

2 IBM Security, “Cost of a Data Breach Report 2023,” 2023.

3 IS Partners, “PCI Non Compliance Fines & Consequences,” Aug. 11, 2022.

4 Digistor, “What Happens to a Company’s Reputation After a Data Breach?” Dec. 17, 2022.

Important Disclosures and Information


Bank of America, Merrill, their affiliates and advisors do not provide legal, tax or accounting advice. Consult your own legal and/or tax advisors before making any financial decisions. Any informational materials provided are for your discussion or review purposes only. The content on the Center for Business Empowerment (including, without limitations, third party and any Bank of America content) is provided “as is” and carries no express or implied warranties, or promise or guaranty of success. Bank of America does not warrant or guarantee the accuracy, reliability, completeness, usefulness, non-infringement of intellectual property rights, or quality of any content, regardless of who originates that content, and disclaims the same to the extent allowable by law. All third party trademarks, service marks, trade names and logos referenced in this material are the property of their respective owners. Bank of America does not deliver and is not responsible for the products, services or performance of any third party.


Not all materials on the Center for Business Empowerment will be available in Spanish.


Certain links may direct you away from Bank of America to unaffiliated sites. Bank of America has not been involved in the preparation of the content supplied at unaffiliated sites and does not guarantee or assume any responsibility for their content. When you visit these sites, you are agreeing to all of their terms of use, including their privacy and security policies.


Credit cards, credit lines and loans are subject to credit approval and creditworthiness. Some restrictions may apply.


Merrill Lynch, Pierce, Fenner & Smith Incorporated (also referred to as “MLPF&S" or “Merrill") makes available certain investment products sponsored, managed, distributed or provided by companies that are affiliates of Bank of America Corporation (“BofA Corp."). MLPF&S is a registered broker-dealer, registered investment adviser, Member SIPC, and a wholly owned subsidiary of BofA Corp.


Banking products are provided by Bank of America, N.A., and affiliated banks, Members FDIC, and wholly owned subsidiaries of BofA Corp.


“Bank of America” and “BofA Securities” are the marketing names used by the Global Banking and Global Markets division of Bank of America Corporation. Lending, derivatives, other commercial banking activities, and trading in certain financial instruments are performed globally by banking affiliates of Bank of America Corporation, including Bank of America, N.A., Member FDIC. Trading in securities and financial instruments, and strategic advisory, and other investment banking activities, are performed globally by investment banking affiliates of Bank of America Corporation (“Investment Banking Affiliates”), including, in the United States, BofA Securities, Inc., which is a registered broker-dealer and Member of SIPC, and, in other jurisdictions, by locally registered entities. BofA Securities, Inc. is a registered futures commission merchant with the CFTC and a member of the NFA.


Investment products: