One of the biggest challenges facing small businesses is responsible, secure handling of customer data and payment transactions.
Proper handling is a business requirement, and if efforts fall short, you run the risk of exposing private information should your payment systems be breached by online criminals.
To help businesses reduce risks around data protection and security, the payments industry established the Payment Card Industry Security Standards Council (also known as PCI SSC or the PCI Council) and the Payment Card Industry Data Security Standard (PCI DSS).
Here's what you need to know about PCI DSS compliance.
PCI DSS compliance is the process of adhering to certain security standards to protect customer information and mitigate the risk of fraud and data breaches. These PCI compliance standards help businesses safely handle credit card transactions and keep financial information secure.
Merchants must adhere to 12 PCI DSS requirements to meet PCI security standards, including:
Establish firewalls and router standards, which set rules for allowing and denying access to your systems. Firewall configurations should be reviewed bi-annually to ensure there are no faulty access rules, which can open your credit card data to vulnerabilities.
Change default passwords on your systems to increase security. Also, maintain a secure inventory of all systems, passwords, and configuration procedures. These procedures need to be followed every time a new system is introduced to the IT infrastructure.
This is the most important requirement: All cardholder data must be stored and encrypted using industry-accepted algorithms. Also, follow PCI standards for encrypting primary account numbers, such as by displaying only the first six or last four digits.
Secure card data when it is transmitted over an open or public network, such as the Internet, Bluetooth, or Global System for Mobile communication (GSM). Also, you must know where you are sending the card data and where you are receiving it from.
Encrypting cardholder data by using a secure version of transmission protocols such as Transport Layer Security (TLS) and Secure Socket Shell (SSH), which can help prevent data from being compromised.
All equipment — including the workstations, laptops, and mobile devices employees use to access the system both locally and remotely — must have anti-virus software.
Regularly update systems to identify and patch any security vulnerabilities in a timely manner. This applies to all systems in the card data environment, including:
Cardholder information can only be shared on a "need-to-know" basis. Create a list of authorized and unauthorized users, including employees and stakeholders and update their access permissions accordingly.
Set up a unique ID and password for each authorized user. This helps hold the people with access accountable and makes it easier to respond if an issue does arise like a data breach.
As part of PCI data security standards, physical cardholder data must also be stored in a secure location, such as a locked room or storage area with restricted access.
Each time cardholder data is accessed, the event should be logged. Access logs should also be audited consistently to spot any anomalies or threats to data security.
Frequently perform security tests and vulnerability scans to find any weaknesses in your processes and systems.
Maintain updated documentation of all policies, procedures, access logs, systems, and software involved in these PCI DSS compliance requirements. A PCI audit or assessment, for example, will check for documentation such as employee manuals, policies and procedures, vendor agreements, and data security response plans.
There are four different PCI compliance levels, each with its own requirements. Your PCI merchant level will largely depend on the volume of credit card transactions your business processes each year.
The four PCI DSS merchant levels include:
PCI level 1 applies to organizations that process more than 6 million Visa or Mastercard transactions or more than 2.5 million American Express transactions in a 12-month period. This level also includes merchants who have experienced a data breach.
Level 1 merchants must complete an annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA), a quarterly network scan by an Approved Scan Vendor (ASV), and an attestation of compliance (AOC) form for onsite assessments.
PCI level 2 applies to organizations that process 1-6 million transactions card each year.
PCI DSS level 2 requirements include: completing an annual self-assessment questionnaire (SAQ), a quarterly network scan by an ASV, and an AOC form.
PCI level 3 applies to merchants that process 20,000-1 million online transactions and organizations that process less than 1 million total transactions each year.
PCI level 3 requirements are the same as those for level 2: completing an annual SAQ, a quarterly network scan by an ASV, and an AOC form.
PCI level 4 applies to organizations that process fewer than 20,000 online transactions or up to 1 million total transactions each year.
PCI compliance level 4 requirements are the same as those for levels 2 and 3: completing an annual SAQ, a quarterly network scan by an ASV, and an AOC form.
PCI compliance offers many benefits to businesses that process credit card transactions. The biggest advantages of PCI compliance include:
Ready to start making your small business more secure today? Use these six tips to increase security.
Partnering with PayPal can help businesses maintain PCI compliance and enhance data security. In fact, if you use PayPal to process card payments, your customers' sensitive data never reaches your company's servers — helping reduce your PCI DSS compliance requirements.
In partnership with three expert business owners, the PayPal Bootcamp includes practical checklists and a short video loaded with tips to help take your business to the next level.
We use cookies to improve your experience on our site. May we use marketing cookies to show you personalized ads? Manage all cookies