There are millions of small business merchants in the U.S., and while every small business that accepts credit cards has to comply with Payment Card Industry Data Security Standard (PCI DSS), many businesses do not.
The problem for small business owners is that when it comes to protecting cardholder data, they’re being held to the same standard as bigger businesses. Even if they don’t have anywhere near the same resources. PCI is a set of rules created and enforced by the credit card industry to make sure all merchants who accept credit cards take the necessary steps to protect cardholder information.
Failure to meet the PCI compliance requirements can result in pretty draconian measures, including substantial fines and the withdrawal of your merchant status. Which means you won’t be able to accept credit cards any more. For most businesses, especially online businesses, this could result in catastrophe. And if your business is the victim of a data breach, it could also mean costly and complex supervision by a third-party auditor.
So why has PCI compliance been such a challenge for smaller firms?
- Most small business owners are focused on making the next sale or meeting next month’s payroll. They feel they don’t have enough time to devote to PCI, don’t think they need to, or may not even be aware of what PCI is.
- PCI scares some business owners because they think it’s costly and complicated. In reality, PCI compliance for small businesses can often be achieved with a self-assessment questionnaire and an affordable website scanning service.
- PCI is almost always on the to-do list, along with all the important security measures all small business owners should be taking but often don’t.
Compliance doesn’t have to be difficult or expensive:
- Engage, don’t avoid. PCI is actually a good thing because it creates a very clear road map towards better security, and is based on years of experience and billions of credit card transactions. Consider it free consultancy. If done right, PCI not only helps protect your business and customers, it also helps you avoid the wrath of a PCI auditor.
- Make PCI a business-wide culture. Most security incidents and data breaches result from the failure of the weakest link. The same goes for PCI. It will only work if all your employees, and even some of your partners, understand what it is and how they must help.
- Write it down and use like a checklist. PCI for the small business actually comes in the form of a checklist. Copy it, turn it into something you and your employees can most easily use, then use it as your own security road map.
- Remember paper records, too. Studies have shown that nearly one in every five data breaches involves paper records. So if you keep any paper copies of credit card transactions, don’t forget that PCI applies to them, too.
- Read the self-assessment questionnaires many times. Think of it like studying for a boring but necessary test. Take some time out when you have no distractions, and settle in for a nice read. It’s not complicated, and you’ll probably find that PCI compliance is about common sense and not complex rules.
- Always use a good compliance partner, like SiteLock, to make sure that your website is secure and that you achieve and maintain compliance. And a partner that specializes in and understands the small business is always the better option.
Make sure your website is PCI compliant. SiteLock is available 24/7/365 to help you meet PCI standards. Give our security experts a call at 877.378.6200 today.