Do small businesses need to be PCI compliant?
Yes. If your business collects, transmits, or stores cardholder and credit card data, you need to be PCI compliant.
Get Started with PCI ComplianceStart Here
How does a small business become PCI compliant?
There are twelve PCI requirements you must meet to be PCI compliant.
- Protect your system with firewalls
- Configure passwords and settings
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software
- Regularly update and patch systems
- Restrict access to cardholder data to business need to know
- Assign a unique ID to each person with computer access
- Restrict physical access to workplace and cardholder data
- Implement logging and log management
- Conduct vulnerability scans and penetration tests
- Documentation and risk assessments
Our free PCI Guide is a great resource for small businesses because it simplifies and breaks down the process into manageable tasks.
It can be tempting for businesses to think of PCI compliance as a checklist. However, we encourage businesses to develop a mindset of security and hold themselves to a higher standard of security. This will mean taking a proactive approach to secure your business against new and evolving threats, such as eskimming,
Prioritizing security may cost more time and money upfront, but it could easily be the difference between your business succeeding or failing. SMBs remain one of the biggest targets for threat actors. Many small businesses are unable to recover from an attack and are forced to close down.
Here are 7 PCI compliance tips for small businesses:
When it comes to PCI compliance, small businesses have their own unique struggles with securing their data. While smaller businesses have less card data to process and store than large businesses, they have fewer resources and smaller budgets for security.
A lot of businesses also have difficulty implementing PCI requirements in a way that actually protects their data. Instead, many small businesses will treat PCI as a checklist and do the minimum, without thinking of applying it to data security.
These businesses also don’t fully leverage standards and practices by the PCI DSS to improve and secure their environment. They’re more concerned with becoming PCI compliant than secure.
1. Create policies and procedures
Smaller businesses are often less likely to consistently follow established policies and procedures. Since they only have a handful of systems and few personnel with administrative access, they see following set policies as a waste of time.
However, setting up policies and procedures helps ensure that these security procedures are actually being followed.
- Document all your policies and have them accessible to your employees
- Scope out your environment and document what part of your environment needs to be secure
- Make sure your employees are all trained on these policies
2. Update PCI documentation
Many small businesses often view change control and documented hardening standards as busywork. As a result, many small businesses rarely document their security controls, if they’re following them at all.
One way to simplify documentation for compliance is to set up a PCI email user or active directory account for PCI and add reminders in the calendar to make sure required security processes aren’t forgotten. Evidence collected from completing PCI compliance tasks can then be stored in this account.
This is a low/no-cost solution to help your employees keep PCI compliance on their minds throughout the year and provide you with all the evidence you need for assessments.
- Document all changes to your security environment
- Set up up a regular schedule for documentation purposes
SEE ALSO: 5 Simple Ways to Get PCI Compliant
3. Train yourself and your employees
A big problem many small businesses have with PCI compliance is they don’t know all that much about security. Many business owners think they don’t need to worry about security, but it is something they should be worried about.
You’ll need to train yourself and your employees on your policies and make sure they understand PCI compliance as well as they should.
Employees need to be aware of their surroundings: a lot of things happen because they’re not paying attention. 77% of employees leave their computers unattended. Locking your screen when you step away immediately increases security.
- Set up quarterly, if not monthly training meetings for employees
- Train employees to be aware of their surroundings and to follow procedures
- Test your employees by hiring an ethical social engineer
4. Keep your systems up to date
There’s a reason vendors release new updates and patches for security vulnerabilities. This is critical for not just your computer, but the applications on the computer, any network hardware/firewalls, and any mobile devices you use. All systems and devices that are on your network need to be updated.
SEE ALSO: PCI Requirement 6: Updating Your Systems
- Subscribe to vendors’s patch/upgrade list to stay current on the latest security patches
- Establish a schedule to do security patching on a regular basis
- Do vulnerability scanning to find security holes
5. Change passwords regularly
This is a very simple change that offers no cost, and yet is very helpful in keeping your data secure. Many hackers choose the easiest path to find card data. If your network or systems have easy-to-guess or default passwords, you’re practically opening up your business doors to hackers.
Set up policies for your employees and enforce rules to have passwords changed regularly. It’s recommended to change your password at least every 90 days, and to create new passwords that are at least seven characters in length and contain both alphabetic and numerical characters.
- Make sure employees have unique passwords and usernames
- Implement a policy where employees change their passwords regularly
- Change all default passwords and usernames on your network and systems
6. Only store necessary card data
Did you know that 61% of users have unencrypted card data on their systems? You should never store unencrypted credit card data in your environment.
A good way to simplify your PCI compliance is by limiting how much card data you store. The less data you store, the less time and resources you have to devote to securing that data.
- Scope out your environment to find any unencrypted card data
- Implement P2PE encryption on your card data
- Consider using tokenization to eliminate the need to handle card data follow for more data security articles like this
7. Get help from an expert
If you have a PCI program with a provider, like SecurityMetrics, use their support!! Talk to somebody about compliance and get help where you’re struggling. In most cases, that’s a free call. Take advantage of your provider’s support team since they can help you with any questions you have about PCI.
If you don’t have a PCI program, there are a number of resources from the PCI Council, and other experts that can help you figure out what your business needs to do to become PCI compliant.
- If you have a QSA, get help from them year-around
- Look up security blogs and articles for tips on best security practices
Remember, getting PCI compliant and securing your data is worth the trouble, and it can save your business in the long run.