As a small business owner who accepts credit cards, you may have heard of PCI compliance. But if you’re like most, it’s probably not something you’re overly familiar with in any detail. In fact, you may only know it as a fee on your merchant account statement – denoted as either, “PCI Compliance” or “PCI Non-Compliance”. Beyond that, it’s anyone’s guess!
If that scenario resonates with you, then this post is for you, too.
The Overview
Let’s explore the basics of PCI DSS compliance: what it is, why it’s important, and the obligations it creates for your business. After reading this, you should feel equipped to take PCI compliance into your own hands to protect your business from fraud and data breaches.
What is PCI Compliance?
Before we get too far into this, what is PCI DSS? PCI DSS stands for the Payment Card Industry Data Security Standards. These are regulations set by the Payment Card Industry Security Standards Council (PCI SSC), a global forum that meets to develop standards and resources to ensure payments are kept safe worldwide. (Source: https://www.pcisecuritystandards.org/about_us/)
Safe payments are in everyone’s interest.
Why do you need to know this?
According to Merchant Maverick, “the biggest threat to small businesses is complacency”. Most small business owners believe they’re too small to be hacked or don’t have the information that these fraudsters would want. Unfortunately, this couldn’t be further from the truth.
A data breach can cost a business a small fortune to fully recover from, and many of them are unable to do so. This is why it’s essential to reduce your liability and ensure your business is compliant with the latest standards.
A few common sources of loss for the business victimized by a breach include:
- Lost confidence (customers shop elsewhere) and diminished sales
- The cost of reissuing new payment cards to each impacted cardholder
- Fraud losses due to illegitimate transactions
- Higher subsequent costs of compliance (much like the increase in your car insurance after an accident)
- Legal costs, settlements, and judgments
- Fines and penalties from the customer banks and card brands (Visa, MasterCard, and Discover to name a few)
- Termination of the ability to accept payment cards moving forward
In the current business environment, more small businesses are turning to eCommerce and over-the-phone payments, which increases the exposure and risk of fraud.
While this sounds daunting, there are many steps you can take to protect your business from these worst-case-scenario situations.
What are fraudsters after?
The above photo showcases a sample payment card. All red arrows point to sensitive cardholder data that a fraudster can use to impersonate the cardholder and fraudulently purchase something or steal their identity.
Some important notes: All of the information on the back of the card (including the CID on the front of an AMEX card) is restricted: this data may never be stored under any circumstance.
Any other cardholder data should be encrypted and stored only with a strong business case. We’ll get into more on this later.
So, if your business accepts credit cards, these standards apply to you.
How to make sure you’re compliant
Note: This article will go through the most basic requirements for a typical [Salon/Tattoo/Spa/Groomer] card-present (in-person) small business environment (under 20,000 annual transactions) with a simple set up. This information is subject to change. For details on your specific situation, please schedule a time with your credit card processor to walk you through your unique situation – it’s worth the time.
An easy way to think through PCI Compliance is to walk through your business and imagine you were looking to steal information – where would you look? Where does this data touch?
Some examples given by the PCI SCC include:
- A compromised card reader
- Unencrypted data in a POS System
- A camera recording of the cash register
- A tap into your wireless or wired network
- Paper records that are stored in a filing cabinet
- An unsecured eCommerce website
When you think through what data the fraudster would want and where they would look to find it, the idea of PCI Compliance (securing this data) becomes a bit less daunting – the only goal: secure any data access points.
Step 1 to PCI Compliance: Secure your Payments System
One of the best ways to greatly minimize your exposure is to process with an integrated PCI Compliant processing provider. They ensure that the data that touches your POS system and card readers are encrypted and secure.
As an example for our family of small [Salon/Spa/Tattoo/Grooming] businesses, CardConnect is a PCI DSS Level 1 Certified Gateway that integrates directly with your system and allows conveniences like card-on-file (recurring billing) without the fear of improperly storing data.
Step 2 to PCI Compliance: Train your Staff on Best Practices
Once your system is secured, the major source of liability becomes internal.
Limit the staff who has access to card data to the minimum – only those who need it to perform essential job functions should have access. Those who do have access should know:
- How to create strong passwords (at least > 7 alpha-numeric characters)
- Never to share passwords or create group accounts
- Immediately removing access for terminated employees
- Locking all filing cabinets that contain sensitive data
- Regularly reviewing equipment for evidence of tampering
- Ensure your internet setup is protected with a firewall and devices have an antivirus installed and kept up to date
- Creating a security and privacy policy
Step 3 to PCI Compliance: Annual SAQ (Self-Assessment Questionnaire)
These standards, even if they are met, are not valid until you’ve completed an SAQ. To stay in compliance, this questionnaire needs to be completed each year. Your payment processor should be able to walk you through any parts that you find gray or tricky.
A standard SAQ can be found at pcisecuritystandards.org/pci_security/completing_self_assessment
Once your survey is completed truthfully with all “Yes” or “N/A”, send it to your processor to certify your compliance.
Step 4: Set a Reminder
Remember, this needs to be completed each year, so set a reminder for yourself for the same time next year to re-certify your business.
Final Thoughts
PCI Compliance is a necessary but often daunting or confusing situation for small business owners. We hope you found this guide useful but would love to help further if you still have questions.
If you’d like to discuss setting up a PCI compliant integrated system, or just have questions on this article, please call our sales team!