Across the globe, the most top priority for small and medium businesses is cybersecurity. With information security breaches increasingly prevalent, business owners have the responsibility, and are often held accountable, of protecting themselves, their employees and their customers.
There is a lot to keep up with with an ever developing cyber security landscape, but as a SME, the one thing that you should always prioritise is your PCI compliance.
65% of small businesses are unable to meet the minimum PCI security standards, and you don’t want to be one of them. Read below to learn why PCI compliance is important and how you can help your business stay compliant.
What Is PCI Compliance?
PCI DSS stands for “The Payment Card Industry Data Security Standard.” Essentially, this is a set of protocols and security standards put in place to make sure that during every transaction sellers are safely accepting, processing, transmiting, and storing consumer’s credit card information.
PCI DSS details how cardholder data can be safely handled and conseqeuntly this standard is not simply a set of recommendations or general guidelines. Any business that has a merchant ID and accepts payments via credit card has to be compliant with the security standards.
Failure to comply can you see you face hefty fines and accusations of potential data breaches. Certain credit card brands could fine you anywhere from $5,000 to $100,000 per month, potentially resulting in your bank to terminate contracts or significantly increase transaction fees to mitigate the risks.
The PCI standards are applicable to everything – from your internal practices to the technology you use, and include the following:
- Point of sale (PoS) systems
- Card readers
- Online networks and wireless routers
- Payment card data storage tools, including those in paper-based records
- Online shopping carts and payment applications
How to Stay PCI Compliant
Becasue technology evolves so quickly, PCI compliance regulations are updated as needed. You can find the full list of detailed regulations here. Below we list the key steps you need to follow in order to stay compliant.
Install a Firewall to Protect Data
Firewalls essentially control, administer and manager the cyber perimeter of your business by monitoring and controlling inbound and outbound access. This can help keep threats from getting onto your network and accessing secure data (i.e. cardholder data).
Firewalls are a solid first defense that all small businesses should be using. However, don’t just rely on the basic standard firewall built into your router; get an additional, dedicated top-rated firewall to protect your business.
Never Use Default-Passwords
All of your employees should be using secure, custom passwords for every log-in. These paswords should be a mix of case titles, symbols, and numbers, and should be almost impossible to guess.
Never use the default passwords that vendors supply for their sites or products, ensuring you update them immediately.
Always Encrypt Cardholder Data
Whilst intimidating, encryption can be simple with the right utilities and is exceptionally important to protect the data your business is storing. Encryption works by scrambling the data, making it unreadable by anyone but those who have permission to view it.
Encryption can be employed to mitigate against remote and even physical breaches, offering an additional layer of security on a laptop in case it gets stolen or the office is broken into.
Restrict All Access to Cardholder Data
Cardholder data should not be stored in a database that all employees have easy access to. Cardholder data should be available on a need-to-know basis only, and there’s very little reason why the majority of your employees should need to manually access Cardholder data.
For such data, you should be ensuring that physical and digital access extremely restricted and controlled, and ensure that secure remote access is prioritised if needed.
In addition the firewalls, anti-virus software that protects against viruses and malware that can corrupt or steal any of your data. Afterall, if an employee clicks on a rogue link in an innocuous email, this may trigger the installation of a virus or malware. Such emails are looking increasingly more convincing.
Many different types of antivirus software available, but it’s important that businesses choose an option that’s designed for commercial or business use.
Train Your Staff
60% of data breaches are caused by employees and corporate partners. In many of these cases, the intent is not malicious but accidental, resulting in the breaches. With comprehensive training, this is can be avoided and can even decrease your risk significantly.
Your entire staff needs to be trained and held responsible in online security and customer data. This can include limiting your employees to only using secured public networks if working remotely, or require your employees to change their passwords every six months.
You should have an internal security policy, which is updated as need and make sure everyone is clear of what that entails.
PCI DSS is not a legal requirement in UK law, but the resulting losses you could experience – such as loss of customer trust and damage to your business’ reputation – make it prudent for all small businesses to follow the security standards. Whilst the standards won’t guarantee that you will not experience data security breach, the standards will certainly help.
Ensure to take due care to follow the protocols outlined in guidelines, and if you have any doubt about the security status or risk of your business, you can always consult an expert.