12 PCI Security Protections for Small Businesses
What PCI security protections should I implement at my business? Is my business at risk? Data breaches can happen at any time, and small businesses are a prime target. About half of all cyber breaches impact businesses with fewer than 1,000 employees. So don’t think it couldn’t happen to your business!
The good news is you can follow these 12 PCI security tips and start protecting your business in no time!
PCI Security Tip 1: Use Strong Passwords
To protect your computer and card data, strong passwords are vital. Passwords keep your business and confidential information safe and secure.
Changing your password every three months helps ensure that your data is safe, even if someone finds an old, stored password. The password should be unique and hard to guess. Avoid character combinations, common words, or names. Surprisingly, weak passwords account for half of all passwords! Don’t fall victim and let hackers use this to their advantage. Instead of using 123456, use a phrase with numbers and symbols (like iLoVEp1zzA!).
Also, you must never share your password. Every employee should have their own distinct username and password that they keep secure… and to themselves!
PCI Security Tip 2: Protect your credit card data
Don’t let your credit data get into the wrong hands! Card data should either be stored as securely as possible or destroyed. PCI-DSS requirements state that cardholder data should be retained only for legal, regulatory, or business purposes.
Don’t know what data is being stored? Be sure to ask your payment terminal vendor, service provider, or merchant bank. The merchant bank or processor should have the proper encryption and tokenization technologies in place to make the data useless if stolen.
If you don’t need to store the credit card data, the best practice is to destroy it or mark the data with a black marker to make it unreadable and keep it in a locked drawer. To limit risk, you should only accept payment details via phone call, fax, or physical mail rather than by email or text.
PCI Security Tip 3: Inspect Payment Terminals
Skimming devices can steal your customers’ card data as it is entered into a payment terminal. Don’t let your customers fall victim to this! You and your staff should be well trained on how to spot a skimming device. Be sure to regularly check your current terminals for unusual tampering. If you find something suspicious do not use that terminal.
To ensure terminal protection, take pictures of all payment terminals, look for tampering signs, monitor customer use, keep an eye on terminal repairs, and immediately report suspicious activity to your vendor or bank.
PCI Security Tip 4: Use Trusted Partners
Your business regularly deals with many outside service providers. It’s important to make sure that these 3rd parties are trustworthy. You should have a list of any payment terminal vendors, application or software providers, and any ecommerce hosting platforms that you use. These service providers all impact your ability to protect your consumer’s privacy and credit card data. It is important that they are PCI DSS compliant, because this will greatly affect the security of your business.
You should know who to call when have any problems or questions. This includes your merchant bank, service providers, and who you bought your devices and software from. Keep their contact information listed somewhere that is easily accessible in case of an emergency.
PCI Security Tip 5: Install Patches from your Vendors
Patches are software and operating system updates that keep programs and software safe from bugs or vulnerabilities. Software can easily have flaws, and this is where hackers thrive! To fix coding errors, timely installation of security patches is required.
When your vendors and providers send you patch notices, you should read them thoroughly. Your vendors should update your terminals and systems when needed and install the patches as soon as possible.
PCI Security Tip 6: Protect in-house access to your card data
About 25% of data breaches involve internal actors and it happens more often than people may think. A few security measures will help prevent an in-house breach.
Setting up an access control system and employee permissions are important security steps for managing new and existing employees. You should set up your system to grant access on a “business need-to-know” basis. Most employees can do their job using only certain applications and functions. Beyond the employee security measures, you should also keep a log of all visitors that enter the facility. Include the time, their name, and reason for their visit.
PCI Security Tip 7: Don't give hackers easy access to your systems
To avoid the risk of hackers getting into your system, you need to know how your vendors are accessing your system. It’s possible they are leaving the door open for hackers to enter your business systems, and this could lead to major system vulnerabilities.
To find out, simply ask your vendors if they use remote access to enter into your business systems. Most remote access programs are always on, so asking your vendor to disable this when not needed will help reduce your risk of a breach.
PCI Security Tip 8: Use anti-virus software
Hackers know how to write particular viruses and codes to break into your systems and steal card data. To protect your systems from this malicious activity, you must install anti-virus software. This software is easy to install and gives you the option to automatically update when needed. You can also schedule regular full system scans to help detect any potential viruses across your entire system.
PCI Security Tip 9: Scan for Vulnerabilities
In today’s digital age, new vulnerabilities and bugs are being discovered every day. These are inevitable. This is why anti-virus software and internet-facing systems should be tested on a regular basis. Specifically, payment systems are the most vulnerable.
PCI ASV (Approved Scanning Vendor) provides tools that automatically identify misconfigurations in your internet-facing systems. Every scanning vendor is different, so it is important to find the right one for your business!
PCI Security Tip 10: Use Secure Payment Terminals
One way to guarantee better protection for your business is to use secure payment terminals and experienced professionals. The PCI Council approves payment terminals that protect PIN data. The List of PCI Approved PTS Devices lays out the proper payment equipment that provides the best security.
You must also be sure that the person installing your payment system has been trained well. With any service provider, they should be PCI DSS compliant to help you manage and process your transactions safely.
PCI Security Tip 11: Install a Firewall
The internet is a great resource tool, but it can also be a dangerous one if you’re not careful. The internet is the main way data thieves can attack and steal your customers’ card data. Therefore, anything used for card payments needs extra protection if your business is on the internet.
This protection is best implemented by using a firewall. A firewall is software that acts as a middleman between the internet and your payment system. This buffer-like software keeps hackers and dangerous activity away from your payment systems, e-commerce website, and your card data.
PCI Security Tip 12: Make your data useless
Your data is vulnerable, and the best way to prevent criminals from accessing it is to encrypt or destroy it completely. You should work with your payment vendor or provider to encrypt all card data that is going to be stored or sent out. This way you can sleep well at night knowing that your card data is safe and secure even if a criminal gets their hands on it.
