Make sure you're prepared to meet PCI DSS compliance mandates
Complying with the Payment Card Industry Data Security Standards (PCI DSS) is not just a one-and-done thing. Instead, meeting PCI mandates requires ongoing effort. While the complexities of PCI requirements can seem especially daunting to small- and medium-sized merchants, the requirements actually offer a tangible framework to help secure business systems and processes. By achieving and maintaining PCI DSS compliance, you are not only fulfilling your responsibility to protect sensitive cardholder data, you are taking real steps to help prevent payment card fraud. In fact, PCI compliance offers security benefits that are good for business, helping build customer trust and supporting success over the long term. As a business owner accepting credit card payments, it’s definitely worth your time and effort to meet PCI compliance mandates. Let’s take a closer look.
Assessing your PCI DSS compliance
The first step to meeting PCI DSS compliance is taking a baseline assessment of where your business stands. To do so, you must complete a Self-Assessment Questionnaire (SAQ). You will have to answer detailed questions about your business and card acceptance procedures. Then, you will complete and submit a statement—known as an Attestation of Compliance—certifying that you have completed the SAQ and your business meets the PCI guidelines set forth by the PCI Security Standards Council.
It’s important to note that there are varying SAQs depending on the way payment cards are accepted. For example, if you use a POS terminal to accept card payments, you would complete a different SAQ than if you use an internet shopping cart to accept card payments. If you are unsure about which SAQ to complete, a third-party assessor can assist you in the process. And be sure to check the PCI Security Standards Council’s quick guide for small merchants to get started in achieving PCI compliance.
Maintaining your payments compliance
Once you have met the PCI regulations, you’ll need to put measures in place to continually maintain your status. Here are some ways to do so:
- Conduct regular security checks. Performing real-life checks against the security of your systems is a great way to make sure you are in compliance. At least four times a year, run an External Network Vulnerability Scan. If you have an IT specialist on staff, he or she should be able to run such security checks. If you operate a smaller operation without a designated IT person, you can hire an Approved Scanning Vendor recommended by the PCI Security Standards Council.
- Require monthly password updates. One of the best—and simplest—ways that you can keep your systems secure is by requiring that your staff update all of their system passwords at least once a month. Make sure that the passwords are unique and that staff do not share passwords.
- Perform system access audits. To maintain data security, your staff should have the lowest levels of access necessary to perform their job tasks. For example, don’t give associates full card number access who don’t absolutely need this high level of access for their job duties. Doing so puts your company at undue risk—not to mention gives lower-level associates access to too much valuable customer data.
- Implement employee training. The PCI Security Standards Council is constantly updating their regulations and recommendations in response to the constantly changing nature of the payments industry. In order to stay up to date, you should stay informed about these updates and require your employees to undergo regular training and education about PCI best practices.
- Create and maintain a security manual. It’s important to have an updated security policies and procedures document for your business that includes details about everything listed above as well as additional activities to protect payment and cardholder data. Make this document readily available to your staff and use it as a guide for tracking all payment security activities.
Don’t leave your compliance to PCI regulations to chance
The ability to accept electronic payments is a privilege, not a right. Protect your business and your right to accept card and other electronic payments by achieving and maintaining PCI compliance.Vantiv is a good resource to consult about tailoring your PCI compliance procedures to your business. Contact us today to ensure your business is up to snuff for PCI regulations.