Protect Yourself: 5 Tips to Ensure Your Business is PCI DSS Compliant
News of yet another massive data breach pops up every day, it seems, but it's not only large companies that are at risk. Half of U.S. small businesses have been victims of a cyberattack, according to the National Small Business Association.
If your business accepts credit cards, whether in-person, over the phone, or online, protecting customer information should be part of your regular routine. The PCI Data Security Standard applies to businesses that accept payment information from credit or debit cards. No matter how small your business is, you are responsible for protecting customer information. You have probably already agreed to follow PCI DSS without even realizing it—when you signed a merchant agreement with your bank, for example.
PCI compliance isn't mandated by federal law, although some states, such as Minnesota and Nevada, have adopted it, but compliance is required by the five major credit card brands that created the standard: American Express, Discover Financial Services, MasterCard, JCB International, and Visa.
If your company suffers a data breach and is found to be noncompliant with PCI, you could incur fines steep enough to put you out of business. Even if the fines didn't cripple you, your company could be prohibited from accepting credit cards from those brands going forward.
Five steps to help your business become PCI compliant:
1. Take the PCI DSS Self-Assessment Questionnaire
What you have to do to meet PCI compliance depends on the volume of credit card transactions your company processes. Most small businesses fall into the Level 4 category of the PCI standard—processing fewer than 20,000 Visa e-commerce and 1 million other transactions per year. To demonstrate PCI compliance, merchants in this level are required to take a PCI Self-Assessment Questionnaire, which asks "yes" or "no" questions about your company's data security. Some companies are also required to have an approved security vendor conduct quarterly vulnerability scans.
2. Stop Storing Verification Codes
While companies are allowed to store, and are expected to protect, basic cardholder data, such as the customer's name and account number, they are not allowed to store CVV data, which are those three or four digit numbers often located on the back of a card. Companies frequently ask customers for their CVV code to help reduce fraud. Processing this information during a transaction is fine, but PCI does not allow companies to store it anywhere on your system, even if it is encrypted or kept in a locked file cabinet.
3. Separate Your Network
The amount of work you have to do to achieve PCI compliance depends on one small but powerful word: scope. PCI only applies to the servers, network devices, and applications in your company that process, store, or transmit cardholder data. These are considered "in scope." By separating them from the rest of your company's systems, like the network employees use to access the Internet, you reduce the risk of your customers' credit card data being hacked. You also reduce the scope of your PCI procedures, which means you'll spend less time and money locking everything down.
4. Use Firewalls
One best practice to separate your network is with a firewall, which sits between your sensitive data and everything else, limiting access and blocking potential threats. Firewalls are required by PCI DSS and are often a company's first line of defense. According to Verizon's 2015 PCI Compliance Report, however, 73 percent of companies that suffered a data breach had not met all the PCI controls for maintaining effective firewalls.
5. Educate Your Employees
You can invest thousands of dollars in the latest information security gadgets and systems, but if your employees don't know how to protect credit card information, you will have wasted your money. Start talking to your employees about how you expect them to protect customer information and credit card data. Whether you train them in groups or sit down one-on-one and run through your expectations, make sure they know your policies on data security and how their failure to comply with PCI standards could devastate your business.
Protecting customer information is a big job. Luckily, the PCI Security Standards Council has published a number of resources to help small businesses understand exactly what they must do to protect customer information.