How does my small business achieve PCI DSS certification?
Achieving PCI DSS (Payment Card Industry Data Security Standards) certification can be a formidable task for business. Especially for a small business with limited manpower and resources. But, if you accept credit card payments, it’s imperative that you are PCI compliant so you don’t leave your business vulnerable to a data breach and related financial losses. In addition to the financial burden, a data breach at your business can cause your customers to lose confidence in your brand and do business with your competitors instead.
What can happen in the event of a data breach
There are many negative effects of a data breach. The fallout can hurt your business, your customers and even your financial institution. In addition to substantial fines you may be subject to if you’re found to be out of compliance at the time of breach, you could also experience:
- Legal costs, settlements and judgments related to the breach
- Fines and penalties including the cost of reissuing customers' cards
- Loss in consumer confidence leading to reduced sales volume
- Higher costs and standards of compliance going forward
- Lost jobs
- No longer allowed to accept payment cards
- Going out of business altogether
How to protect all facets of your business
In order to best protect your business from data theft, you must take measures to secure sensitive customer data at all points through the payment transaction, from swipe (or “dip”, in the case of EMV chip cards) to settlement. Here are some potentially vulnerable locations from which data thieves may try to steal information:
- Compromised card reader
- Vulnerable online network
- Weak remote access credentials
- Paper records in a filing cabinet
- Data in an online payment system database
- Hidden camera that records your staff entering authentication data
- Secret tap into your store’s networks—both wireless and wired
You must take steps to protect:
- POS (point of sale) systems
- Card readers
- Store networks and wireless access routers
- Remote access links and accessibility
- Payment card data storage and transmission
- Payment card data kept in paper records
- Online payment systems and eCommerce shopping carts
Assessing the PCI compliance of your systems
A good first step to achieving PCI DSS certification for many types of small businesses is to perform a Self-Assessment Questionnaire (SAQ). The SAQ functions as a “self check” to ensure your business and systems are within compliance guidelines. Find out what is required to complete your own SAQ.
The PCI Security Standards Council recommends that small businesses think about compliance as a three-step process:
- Assess. In this step, you’ll take an inventory of each place on your systems that you capture and store sensitive data, and then analyze those systems for potential vulnerabilities.
- Remediate. In this step, you’ll fix any vulnerabilities that were discovered in the above step, eliminating the storage of sensitive data as much as possible for your business practices.
- Report. Lastly, you’ll compile and submit the required reports to the acquiring banks and card networks with whom you do business to prove you’re in compliance. For more details on achieving PCI DSS certification, check out the PCI Quick Reference Guide.
You may want to consider partnering with a Qualified Security Assessor (QSA) to help your company meet and maintain PCI compliance. A QSA is a company that is certified by the Payment Card Industry (PCI) to help guide your company through the compliance process. Many reputable payment processors provide PCI compliance assistance through a QSA. A PCI assistance program can take all the guesswork and technical know-how out of the compliance process for those of us who are not technology, payments, or PCI experts. They make it simple and easy, and help you maintain compliance year-round. Some even provide some financial assistance to help protect your business in the event of a data breach.
If your payment processor does not offer this service, or you'd like additional options, you can check out a complete list of certified QSAs for more information. Remember that PCI compliance is an ongoing process—not a one-time fix. Work closely with your payments processor to make sure your business is poised to maintain PCI compliance at all times, even through shifting regulations from the banks and card networks.