A common misconception by many small businesses is that they are too small to have to worry about PCI compliance. This couldn't be further from the truth. If you accept credit cards online, you are required to be PCI compliant. If you are not, your business can face very steep fines.
You are solely responsible for securing your customer cardholder data to meet Payment Card Industry rules.
Small merchants are prime targets for data thieves ... in fact, they are some of the biggest targets because they are the easiest targets. It’s your job to protect cardholder data at the point-of-sale. If cardholder data is stolen (and it’s your fault) you could incur fines, penalties, even termination of the right to accept payment cards, which could be catastrophic for your business.
Why Does PCI Compliance Matter for a Small Business?
According to the PCI Security Standards websute, more than 340 million computer records containing sensitive personal information have been involved in security breaches in the U.S. since 2005. Criminals target small merchants because most have minimal security for cardholder data. More than 80% of attacks target small merchants.
If you are at fault for a card holder security breach, your small business can face:
- Fines and penalties
- Loss of the ability to accept payment cards
- Cost of reissuing new payment cards
- Legal costs
- Fraud losses
- Loss of the business
What to Secure
Focus first on protecting the cardholder data under your control.
You are responsible for protecting cardholder data at the point of sale, and as it flows into your credit card payment system. The single best step you can take is to not store any cardholder data.
PCI compliance includes protecting:
- Card readers
- Point of sale systems
- Store networks & wireless access routers
- Payment card data storage and transmission
- Payment card data stored in paper-based records
Small Businesses May Evaluate with a Self-Assessment Questionnaire
Most small merchants can use a self-validation tool to assess their security for cardholder data, which includes a short list of yes-or-no questions for compliance. You can access self-assessment questionnaires on the PCI Security Standards website.
How to Meet the PCI Security Standards
The PCI Security Standards website is an invaluable resource for small businesses working to be PCI compliant. Their suggestions include:
- Buy and use only approved PIN entry devices at your points-of-sale.
- Buy and use only validated payment software at your POS or website shopping cart.
- Do not store any sensitive cardholder data in computers or on paper.
- Use a firewall on your network and PCs.
- Make sure your wireless router is password-protected and uses encryption.
- Use strong passwords.
- Regularly check PIN entry devices and PCs to make sure no one has installed rogue software or “skimming” devices.
- Teach your employees about security and protecting cardholder data.
- Follow the PCI standard ongoing 3-step process (below)
PCI Compliance: Ongoing 3-step process
This includes identifying cardholder data, taking an inventory of your IT assets and business processes for payment card processing, and analyzing them for vulnerabilities.
Includes fixing vulnerabilities and not storing cardholder data unless you need it.
Includes compiling and submitting required reports to the acquiring bank and card brands you do business with.
The bottom line is that PCI compliance DOES MATTER no matter what the size of your business. We understand that it can seem cumberson for small businesses, but that's no reason to put it off or ignore it. The livelihood of your business may be at stake if you suffer a data breach.
The Novera Payment Solutions team works with small businesses to help alleviate the burden of meeting the PCI compliance standards. Our PIN entry devices and POS systems are PCI compliant, so you don't have to worry. We can also assist you with the PCI compliance self-evaluation and answer an questions you might have.
Don't take the risk. Find out if you are PCI compliant TODAY, and let us help you take the necessary steps to get there if you are not.