PCI for SMBs: resources to help SMBs learn about data security and PCI Compliance.
We often get questions from small business owners about where they fit in with data security and PCI compliance. Are they expected to go as far as large companies with their security controls? Do the same requirements apply to them? While their day-to-day involvement and implementation costs will differ from those of large enterprises, the data security principles needed to achieve PCI compliance remain the same.
As an SMB owner, your business size and card processing environment will ultimately determine which SAQ you need to follow. But it’s important to recognize the unique risks and challenges SMBs face when getting compliant with the PCI standards. They sometimes lack the time, manpower, and cash flow to properly implement all data security controls.
We hear about massive data breaches like Equifax, Target, and Yahoo in the news, but experts estimate small businesses account for 200-300 payment card data breaches per day.
Here are the top 5 blogs from SecurityMetrics to help you as you work towards better security and PCI compliance for your business.
A PCI Self-Assessment Questionnaire (PCI SAQ) is a merchant’s statement of PCI compliance. It’s a way to show that you're taking the security measures needed to keep cardholder data secure at your business.
Each SAQ includes a list of security standards that businesses must review and follow. PCI SAQs vary in length. SAQ A is the shortest with just 22 questions, and the longest is SAQ D with 329 questions.
There are 9 different SAQs that a merchant can choose from. How you process credit cards and handle cardholder data determines which SAQ your business needs to fill out. For example, if you don't have a storefront and all of your products are sold online through a third party, you probably qualify for SAQ A or SAQ A-EP. If you have a storefront that processes credit cards through the Internet and you also store customer credit card data, you're probably an SAQ D merchant.
When it comes to PCI compliance, small businesses have their own unique struggles with securing data. While smaller businesses have less card data to process and store than large businesses, they also have fewer resources and smaller budgets for security.
A lot of businesses also have difficulty implementing PCI requirements in a way that actually protects their data. Instead, many small businesses will treat PCI as a checklist and complete the bare minimum, without thinking of applying PCI requirements to data security.
These businesses also don’t fully leverage standards and practices by the PCI DSS to improve and secure their environment. They’re more concerned with becoming PCI compliant than secure. This attitude can leave their business open to an expensive and damaging data breach.
As you might expect, we get a lot of questions about PCI DSS Compliance. Read this blog to learn PCI basics and get the answers to our most frequently asked questions.
The Payment Card Industry Data Security Standard (PCI DSS) was established in 2006 by the major card brands (i.e., Visa, MasterCard, American Express, Discover Financial Services, JCB International).
All businesses that process, store, or transmit payment card data are required to implement the standard to prevent cardholder data theft. Your card-handling practices and processing environment determine which PCI DSS requirements apply to your business.
SEE ALSO: What are the 12 Requirements of PCI DSS Compliance?
Do you know where you struggle with data security? Are you compliant with all government and financial mandates? Do you know how to get started?
While risk assessments are a good place to start in securing your business’s data, many businesses aren’t even sure where to start with a risk assessment. It can be difficult to put together a list of all possible risks a business may have in an organized, understandable document.
We noticed this problem and looked into what could be done to help businesses put together their risk assessments quickly and efficiently. That’s where the NIST 800-30 Risk Assessment comes in.
The topic of compliance cost is popular with merchants of all sizes, but more so for small businesses. Being PCI compliant involves more than just filling out a PCI SAQ or completing a vulnerability scan. A lot of work and resources go into changing business procedures to ensure the protection of customer credit card data and eventual PCI compliance.
Many businesses are confused about what budget they should set for PCI compliance. Often, they budget too little. Small budgets make it difficult for IT departments and third parties to upgrade equipment to the latest security standards to ensure the business protects data security.
For more information about PCI Compliance or PCI audits for businesses of any size, please contact us here.