PCI compliance applies to businesses of all sizes: In fact, the PCI Council sets compliance standards according to how many card-based transactions a business handles each year. There are four merchant levels are
- Level one: businesses that process more than six million card-based transactions each year.
- Level two: businesses that process one million to six million card-based transactions each year.
- Level three: businesses that process 20,000 to one million card-based transactions a year.
- Level four: businesses that process less than 20,000 card-based transactions per year, or less than 1,000,000 transactions annually from all sales channels (e.g., e-commerce and retail).
Small businesses usually fall under level four. If you’re not sure what level your business falls into, your point-of-sale (POS) reports may be able to tell you.
PCI compliance is not only obligatory for any business that collects, transmits, or stores PCI data (e.g., credit card and cardholder data), but it’s also good for your customers. The cost of a data breach can put a main street merchant out of business in a matter of months. Therefore, PCI compliance is of paramount importance for small business owners. Here’s how to approach PCI DSS compliance at your venture.
Follow the 12 PCI DSS requirements
PCI DSS is relatively prescriptive in its security standards. There are twelve basic requirements that small businesses must meet.
PaySimple has a useful checklist that helps merchants understand that, in order to be PCI compliant, they must do the following:
- Only process credit cards using a PCI Compliant Service Provider or PCI Approved Software. Most modern POS providers, like Square and Clover, are PCI compliant.
- Never store the card security code (e.g., the three-digit number on the back of Visa/MasterCard/Discover cards, or the four-digit number on the front of American Express cards).
- Never store the magnetic track data from any card.
- Encrypt any and all electronic storage that keeps records of full credit and debit card numbers.
- Keep any paper documents containing full credit card numbers in a secure location (locked file drawer/safe) when not in use.
- Allow only employees who have a specific business need to have access to credit card numbers.
- Never share user IDs and passwords, and never create or share group user accounts.
- Use strong passwords (at least 7+ alphanumeric characters) for all system access.
- Immediately disable access for all terminated employees.
- Secure and regularly examine all POS swipe devices for signs of tampering.
- Secure all your business computers by installing and activating personal firewalls and anti-virus/anti-malware software and disabling all generic or default user accounts and passwords.
- Create a security policy for your business that addresses all aspects of the PCI DSS.
As your business grows, these requirements become more complex. For instance, merchants that process a higher volume of card transactions are subject to a quarterly scan of their systems. Some merchants may need to hire an outside vendor to assess their on-site security, too.
PCI Compliance for small businesses
With these requirements in mind, there are three main steps that small business owners can take to become PCI compliant.
First, review how your business collects, transmits and stores cardholder data. Cardholder data is defined by the PCI Council as, “the primary account number (PAN), [and] cardholder name and expiration date. The PAN is visible on the front of the card and encoded into the card’s magnetic stripe and/or the embedded chip.”
Audit the cardholder data you currently collect, take stock of all your IT assets. and assess what processes are in place to securely transmit and store customer information. Analyze these elements of your business operations for any vulnerabilities that a hacker could exploit to steal cardholder data.
Next, take action to address those vulnerabilities. This includes adding a password to your WiFi router, upgrading the security on your e-commerce site, or moving away from storing cardholder data at all. Establishing a firewall is also a key requirement for PCI compliance — and the Council has a guide on PCI firewalls for small businesses.
“Unless you’re using some kind of recurring billing system, there’s no need to keep cardholder data on file,” noted the US Chamber of Commerce. “Loyalty programs can be run simply through using someone’s email or transaction history, which doesn’t require storing PIN numbers and card numbers.”
Assess whether the steps you’ve taken are sufficient using the PCI Council’s Data Security Essentials Evaluation Tool. This will give you feedback that the measures you’ve taken will protect your cardholder data to the best possible extent.
Lastly, to officially become PCI compliant, you will need to submit your compliance reports to the bank or card brands with which you do business (e.g., Visa, MasterCard, American Express, or Discover).
Tools to help with PCI compliance
Technology can help small businesses meet the twelve requirements of PCI DSS and maintain a secure payment environment.
First, consider using a password manager to ensure you and your employees are using strong passwords. Password managers generate strong passwords automatically, containing random strings of numbers and letters for maximum security. In addition, use 2FA or MFA to control who can access your data.
Likewise, make sure you have a firewall in place: it’s not only a best practice but part of the PCI requirements as your business grows. “A firewall is equipment or software that sits between your payment system and the Internet. It acts as a barrier to keep traffic out of your network and systems that you don’t want and didn’t authorize,” the PCI Council wrote in its guide for small businesses. “Firewalls are configured (in hardware, software, or both) with specific criteria to block or prevent unauthorized access to a network. Firewalls are often included in the router “box” provided by your Internet provider.”
The PCI Council also recommends working with a Point-to-Point Encryption (P2PE) Solution. The Council provides a list of resources and approved vendors on its website, making it easy to find a third party who can help with your encryption needs.
Finally, consider adding cloud data loss prevention to help monitor and maintain the integrity of your cloud programs — such as Google Workspace, AWS, and Slack. Nightfall can help you first discover and classify sensitive customer data like PII, PHI, and PCI that must be protected. Our platform uses machine learning detectors individually trained to identify a specific type of PII or customer data that is protected by PCI compliance regulations. For organizations using custom cloud applications, the Nightfall Developer Platform allows for users to embed our machine learning detectors, trained specifically to detect PCI data like credit card numbers, within any cloud platform.
Nightfall works by allowing teams to quickly remediate any data security issues by notifying admins and quarantining or deleting data. This reduces the risk of losing or exposing sensitive customer data and reinforces your commitment to protecting this information.
Learn how Nightfall can help achieve PCI DSS compliance by setting up a demo at the link below.