Keeping your business PCI compliant
There is a lot to keep up with with an ever developing cyber security landscape, but as a SME, the one thing that you should always prioritise is your PCI compliance. 65% of small businesses are unable to meet the minimum PCI security standards, and you don’t want to be one of them. Read below to learn about PCI best practices and how to keep your business PCI compliant.
If your business is not complying with PCI, you might face penalties, as well as exposing your business to risk. While attaining PCI compliance seems like a lengthy procedure, with the right knowledge, it needn’t be difficult:
On this page:
What is PCI compliance?
Across the globe, the most top priority for small and medium businesses is cybersecurity. With information security breaches increasingly prevalent, business owners have the responsibility and are often held accountable, of protecting themselves, their employees and their customers.
The Payment Card Industry Data Security Standard, typically abbreviated to PCI DSS (or PCI-DSS), is essentially a set of protocols and security standards. These were put in place to make sure that during every transaction sellers are safely accepting, processing, transmitting, and storing consumer’s credit card information.
PCI DSS details how cardholder data can be safely handled. Consequently, this standard is not merely a set of recommendations. Any business with a merchant ID and accepts credit card payments has to be compliant with the security standards.
Failure to comply can you see you face hefty fines and accusations of potential data breaches. Although rare, certain credit card brands could penalise you anywhere from £5,000 to £100,000 per month. Also, this may potentially result in your bank to terminate contracts or significantly increase transaction fees to mitigate the risks.
The PCI standards apply to everything – from your internal practices to the technology you use, and include the following:
- Point of sale systems (PoS)
- Card readers
- Online shopping carts and payment applications
- Credit card data storage, including paper-based records
- Online networks and wireless routers
Benefits of PCI DSS compliance
The protection that your business and your clients get with PCI compliance is the primary reason to get it. PCI helps you in building a secure network and in maintaining it as well. The data of the cardholder is also secure with PCI compliance; otherwise, you put your customer’s privacy at risk. And they won’t ever shop from a company that is not doing everything possible to bring secure shopping to them.
Furthermore, It keeps your business running safe and sound. Which allows you to become a highly trustworthy merchant too, and your company’s reputation remains intact too. You also save your business from hefty penalties, which will result in a loss for your business.
If you do not understand the process of PCI compliance, then several companies can help you in attaining it. Make sure that you ask them for help and do not ignore this. It can cost your small business much loss, and recovering from a data breach is not that easy. Thus, getting your company compliant to PCI DSS standards is exceptionally crucial.
Best practices for PCI DSS – How to stay
PCI DSS compliant
Because technology evolves so quickly, PCI compliance regulations are updated as needed.
However, there are some best practices in the cyber security sphere which form the components of PCI DSS compliance. Adhering to these principles, will increase the likelyhod of your business remaining PCI compliant.
Below are the key steps you need to follow to stay PCI compliant.
Install a firewall to protect data
Firewalls essentially control, administer and manage the cyber perimeter of your business by monitoring and controlling inbound and outbound access. Firewalls help keep threats from getting onto your network and accessing secure data (i.e. cardholder data).
Firewalls are a solid first defence that all small businesses should be using. However, don’t just rely on the basic standard firewall built into your router; get an additional, dedicated top-rated firewall to protect your business.
Never use default passwords
All your employees should be using secure, custom passwords for every log-in. These passwords should be a mix of case titles, symbols, and numbers, and should be almost impossible to guess.
Never use the default passwords that vendors supply for their sites or products, ensuring you update them immediately.
Always encrypt cardholder data
While intimidating, encryption can be simple with the right utilities and is exceptionally important to protect the data your business is storing. Encryption works by scrambling the data, making it unreadable by anyone but those who have permission to view it.
Encryption can be employed to mitigate against remote and even physical breaches. Thereby offering an additional layer of security on a laptop in case it gets.
Restrict all access to cardholder data
Cardholder data should not be stored in a database that all employees have easy access to. Cardholder data should be available on a need-to-know basis only, and there’s very little reason why the majority of your employees should need to manually access Cardholder data.
For such data, you should be ensuring that physical and digital access extremely restricted and controlled, and ensure that secure remote access is prioritised if needed.
In addition to the firewalls, antivirus software helps protects against viruses and malware that can corrupt or steal any of your data. After all, if an employee clicks a rogue link in an innocuous email, this may trigger the installation of a virus or malware. Such emails are looking increasingly more convincing.
Many different types of antivirus software are available, for both commercial and personal use. It is imperative that businesses choose an option that’s designed for commercial or business use.
Train Your Staff
60% of data breaches are caused by employees and corporate partners. In many of these cases, the intent is not malicious but accidental, resulting in the violations. With comprehensive training, this is can be avoided and can even decrease your risk significantly.
All of your staff need to be trained and held responsible for online security and customer data. This can include limiting your employees to only using secured public networks if working remotely, or ensuring your employees to change their passwords every six months.
You should have an internal security policy, which is updated as need and make sure everyone is clear of what that entails.
What if your organisation isn’t PCI DSS compliant?
Every business that accepts credit card payments and has a merchant ID number must be compliant with PCI. Regardless of the size of your business, staying PCI compliant is crucial. If you don’t have the compliance, you are going to suffer in the long run.
For companies who are not PCI compliant – strict action can be taken against them. They can be fined through their acquiring bank system. If non-compliant organisations manage to evade scrutiny by their acquiring bank, any future data breach will unveil the lack of compliance, and a proper investigation will ensue. While businesses will have the opportuniy to become PCI compliant following the investigation, the reputational damage is done. Even then, businesses will be imposed with penalties by the credit card companies in caomparison to those organisations who attain compliance from scratch.
Penalties vary from company to company. You can face a hefty amount of fine, which can be as low as 3,000 euros or as high as 60,000. This will not only put your business in to loss, but it will also put your company’s reputation at stake.
PCI DSS is not a legal requirement in UK law. Still, the resulting losses you could experience – such as loss of customer trust and damage to your business’ reputation – make it prudent for all small businesses to follow the security standards. While the standards won’t guarantee that you will not experience a data security breach, the standards will certainly help.
Ensure to take due care to follow the protocols outlined in guidelines to keep your business PCI compliant, and if you have any doubt about the security status or risk of your business, you can always consult an expert.