If your business collects, transmits, or stores cardholder and credit card data, you need to be PCI compliant. Here are 7 PCI compliance tips for small businesses.
Yes. If your business collects, transmits, or stores cardholder and credit card data, you need to be PCI compliant.
There are twelve PCI requirements you must meet to be PCI compliant.
Our free PCI Guide is a great resource for small businesses because it simplifies and breaks down the process into manageable tasks.
See also: Free SecurityMetrics PCI Guide
It can be tempting for businesses to think of PCI compliance as a checklist. However, we encourage businesses to develop a mindset of security and hold themselves to a higher standard of security. This will mean taking a proactive approach to secure your business against new and evolving threats, such as eskimming,
Prioritizing security may cost more time and money upfront, but it could easily be the difference between your business succeeding or failing. SMBs remain one of the biggest targets for threat actors. Many small businesses are unable to recover from an attack and are forced to close down.
When it comes to PCI compliance, small businesses have their own unique struggles with securing their data. While smaller businesses have less card data to process and store than large businesses, they have fewer resources and smaller budgets for security.
See also: The Importance of the PCI DSS: Why You Should Get Compliant
A lot of businesses also have difficulty implementing PCI requirements in a way that actually protects their data. Instead, many small businesses will treat PCI as a checklist and do the minimum, without thinking of applying it to data security.
These businesses also don’t fully leverage standards and practices by the PCI DSS to improve and secure their environment. They’re more concerned with becoming PCI compliant than secure.
Smaller businesses are often less likely to consistently follow established policies and procedures. Since they only have a handful of systems and few personnel with administrative access, they see following set policies as a waste of time.
However, setting up policies and procedures helps ensure that these security procedures are actually being followed.
Tips
Many small businesses often view change control and documented hardening standards as busywork. As a result, many small businesses rarely document their security controls, if they’re following them at all.
One way to simplify documentation for compliance is to set up a PCI email user or active directory account for PCI and add reminders in the calendar to make sure required security processes aren’t forgotten. Evidence collected from completing PCI compliance tasks can then be stored in this account.
This is a low/no-cost solution to help your employees keep PCI compliance on their minds throughout the year and provide you with all the evidence you need for assessments.
Tips
See also: 5 Simple Ways to Get PCI Compliant
A big problem many small businesses have with PCI compliance is they don’t know all that much about security. Many business owners think they don’t need to worry about security, but it is something they should be worried about.
You’ll need to train yourself and your employees on your policies and make sure they understand PCI compliance as well as they should.
Employees need to be aware of their surroundings: a lot of things happen because they’re not paying attention. 77% of employees leave their computers unattended. Locking your screen when you step away immediately increases security.
Tips
See also: Social Engineering Training: What Your Employees Should Know
There’s a reason vendors release new updates and patches for security vulnerabilities. This is critical for not just your computer, but the applications on the computer, any network hardware/firewalls, and any mobile devices you use. All systems and devices that are on your network need to be updated.
See also: PCI Requirement 6: Updating Your Systems
Tips
See also: Security Patches in Your Business: Complying with PCI Requirement 6.1
This is a very simple change that offers no cost, and yet is very helpful in keeping your data secure. Many hackers choose the easiest path to find card data. If your network or systems have easy-to-guess or default passwords, you’re practically opening up your business doors to hackers.
Set up policies for your employees and enforce rules to have passwords changed regularly. It’s recommended to change your password at least every 90 days, and to create new passwords that are at least seven characters in length and contain both alphabetic and numerical characters.
Tips
See also: How to Do Passwords Right: Password Management Best Practices
Did you know that 61% of users have unencrypted card data on their systems? You should never store unencrypted credit card data in your environment.
A good way to simplify your PCI compliance is by limiting how much card data you store. The less data you store, the less time and resources you have to devote to securing that data.
See also: PCI DSS Requirement 3: What You Need to be Compliant
Tips
If you have a PCI program with a provider, like SecurityMetrics, use their support!! Talk to somebody about compliance and get help where you’re struggling. In most cases, that’s a free call. Take advantage of your provider’s support team since they can help you with any questions you have about PCI.
If you don’t have a PCI program, there are a number of resources from the PCI Council, and other experts that can help you figure out what your business needs to do to become PCI compliant.
Tips
Need help in getting compliant? Let’s see how you’re doing.
Remember, getting PCI compliant and securing your data is worth the trouble, and it can save your business in the long run.