PCI compliance ensures that sensitive credit card information stays secure to prevent access by unauthorized individuals who may misuse it.
Any business that processes, stores or transmits credit card information must become Payment Card Industry, or PCI compliant. The purpose is to make sure that sensitive credit card information stays secure to prevent access by unauthorized individuals who may misuse it.
As a small business owner, you’ve probably heard about credit card fraud affecting large retail chains, restaurants and hotels. You might think that can’t happen to merchants like you. It can and it frequently does.
Small and medium-sized businesses, processing less than $20,000.00 a year in Visa or MasterCard e-commerce transactions or other transactions up to $1,000,000.00 a year, have the highest percentage of security breaches.
How does it happen?
Hackers are not the only threat. Breaches can occur through theft of computer equipment and files that contain prohibited data like full account and authentication numbers. Employees can cause breaches too, either maliciously or because of poor training and sloppy procedures.
Failure to become compliant could result in the loss of your reputation as a trusted merchant, steep fines and legal fees, and being denied access to credit card processing services. Even if you use a third-party processor that is already compliant, you are still responsible for the compliance of your own network.
How do I become compliant?
As found in the PCI DSS Quick Reference Guide, there are important three steps in the continuous process of becoming and staying PCI compliant.
1. Assessment
Evaluate how you process your payments, what if any information is stored and how it is accessed to identify potential vulnerabilities.
Become familiar with your network setup and security system. How you access your payment network, by phone, terminal or over the internet, will determine which Self Assessment Questionnaire you must fill out once a year.
2. Remediation
Fix any problems you find. For example, don’t store sensitive data. Make sure that only authorized employees have access to customer data and company passwords on a “need to know” basis. Change all your hardware passwords from factory default. Make sure you have a firewall in place as well as quality malware and virus protection and that no one can surf the internet over the same connection you use to process payments.
3. Reporting
Complete and attest to the Self Assessment Questionnaire for your merchant type. If required, run and pass your quarterly scans to stay compliant.
Educate your employees on the proper procedures for handling credit card transactions and customer information. Provide and maintain written compliance policy for them to review and sign.
Need help?
It can seem like a daunting process, especially for a first time merchant with little or no tech experience. Contact us at Envoy Business Systems for payment solutions and PCI compliance help today.