PCI Compliance Guide for Small Businesses

Protect your credit card data by becoming PCI compliant at your business!  In this guide, we will teach you the best practices and tips to obtain PCI compliance.

What is PCI Compliance?

What’s PCI compliance? PCI Compliance includes 12 security standards created by the PCI Security Standards Council to help small businesses with protecting customer credit card data. These 12 PCI security standards are enforced by the major card networks including Visa, Mastercard, Discover, and American Express.

PCI Compliance for Small Businesses

Is your business PCI compliant? There are many reasons why you should obtain PCI Compliance at your business. First and foremost, you want to avoid data breaches. 90% of data breaches happen to small businesses. Data breaches are a significant issue that cause irreparable harm to a business’s reputation and customer relations. When a small business is significantly affected, it leads to a large financial burden. Therefore, one high-profile data breach will destroy your business and reputation.

Secondly, it’s important to prioritize your customers. PCI Compliance builds the right security to protect your customer data. Your customers expect you to have their best interest in mind when it comes to their financial security. Lastly, you will be penalized with a non-PCI compliance fee by your merchant processor if you’re not complain

Your PCI Guide to Stay Compliant !

Image of a man using a computer system trying to hack into a small business account; the credit card data is protected because the business has PCI compliance

Below are the 12 PCI standards required for accepting credit cards:

  1. Install a firewall configuration
  2. Ensure secure password protection
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data across public networks
  5. Regularly update anti-virus programs
  6. Develop and maintain secure applications
  7. Restrict access to cardholder data
  8. Assign unique ID’s to each person
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Test systems regularly
  12. Maintain a consistent security policy for employees

A business that sells products or services online is categorized as an e-commerce merchant. This includes an e-commerce website, a shopping page, or a payment page.  An ecommerce payment system includes the entire process where a customer selects a product or service from your website and purchases with a credit card. Your payment system can be entirely outsourced to a third party or managed exclusively by your business. A payment system outsourced via a third party is the safest option. This is because they are more likely to be a PCI DSS validated third party.

What PCI security protections should I implement at my business? Is my business at risk? Data breaches can happen at any time, and small businesses are a prime target. About half of all cyber breaches impact businesses with fewer than 1,000 employees. So don’t think it couldn’t happen to your business! 

The good news is you can follow these 12 PCI security tips and start protecting your business in no time!

PCI Compliance Tip 1: Use Strong Passwords

To protect your computer and card data, strong passwords are vital. Passwords keep your business and confidential information safe and secure.

Changing your password every three months helps ensure that your data is safe, even if someone finds an old, stored password. The password should be unique and hard to guess. Avoid character combinations, common words, or names. Surprisingly, weak passwords account for half of all passwords! Don’t fall victim and let hackers use this to their advantage. Instead of using 123456, use a phrase with numbers and symbols (like iLoVEp1zzA!).

Also, you must never share your password. Every employee should have their own distinct username and password that they keep secure… and to themselves!

PCI Compliance Tip 2: Protect your credit card data

Don’t let your credit data get into the wrong hands! Card data should either be stored as securely as possible or destroyed. PCI-DSS requirements state that cardholder data should be retained only for legal, regulatory, or business purposes.

Don’t know what data is being stored? Be sure to ask your payment terminal vendor, service provider, or merchant bank. The merchant bank or processor should have the proper encryption and tokenization technologies in place to make the data useless if stolen.

If you don’t need to store the credit card data, the best practice is to destroy it or mark the data with a black marker to make it unreadable and keep it in a locked drawer. To limit risk, you should only accept payment details via phone call, fax, or physical mail rather than by email or text.

PCI Compliance Tip 3: Inspect Payment Terminals

Skimming devices can steal your customers’ card data as it is entered into a payment terminal. Don’t let your customers fall victim to this! You and your staff should be well trained on how to spot a skimming device. Be sure to regularly check your current terminals for unusual tampering. If you find something suspicious do not use that terminal.

To ensure terminal protection, take pictures of all payment terminals, look for tampering signs, monitor customer use, keep an eye on terminal repairs, and immediately report suspicious activity to your vendor or bank.

PCI Compliance Tip 4: Use Trusted Partners

Your business regularly deals with many outside service providers. It’s important to make sure that these 3rd parties are trustworthy. You should have a list of any payment terminal vendors, application or software providers, and any ecommerce hosting platforms that you use. These service providers all impact your ability to protect your consumer’s privacy and credit card data. It is important that they are PCI DSS compliant, because this will greatly affect the security of your business.

You should know who to call when have any problems or questions. This includes your merchant bank, service providers, and who you bought your devices and software from. Keep their contact information listed somewhere that is easily accessible in case of an emergency.

PCI Compliance Tip 5: Install Patches from your Vendors

Patches are software and operating system updates that keep programs and software safe from bugs or vulnerabilities. Software can easily have flaws, and this is where hackers thrive! To fix coding errors, timely installation of security patches is required.

When your vendors and providers send you patch notices, you should read them thoroughly. Your vendors should update your terminals and systems when needed and install the patches as soon as possible.

PCI Compliance Security Tip 6: Protect in-house access to your card data

About 25% of data breaches involve internal actors and it happens more often than people may think. A few security measures will help prevent an in-house breach.

Setting up an access control system and employee permissions are important security steps for managing new and existing employees. You should set up your system to grant access on a “business need-to-know” basis. Most employees can do their job using only certain applications and functions. Beyond the employee security measures, you should also keep a log of all visitors that enter the facility. Include the time, their name, and reason for their visit.

PCI Security Tips

PCI Compliance Security Tip 7: Don’t give hackers easy access to your systems

To avoid the risk of hackers getting into your system, you need to know how your vendors are accessing your system. It’s possible they are leaving the door open for hackers to enter your business systems, and this could lead to major system vulnerabilities.

To find out, simply ask your vendors if they use remote access to enter into your business systems. Most remote access programs are always on, so asking your vendor to disable this when not needed will help reduce your risk of a breach.

PCI Compliance Tip 8: Use anti-virus software

Hackers know how to write particular viruses and codes to break into your systems and steal card data. To protect your systems from this malicious activity, you must install anti-virus software. This software is easy to install and gives you the option to automatically update when needed. You can also schedule regular full system scans to help detect any potential viruses across your entire system.

PCI Compliance Tip 9: Scan for Vulnerabilities

In today’s digital age, new vulnerabilities and bugs are being discovered every day. These are inevitable. This is why anti-virus software and internet-facing systems should be tested on a regular basis. Specifically, payment systems are the most vulnerable.

PCI ASV (Approved Scanning Vendor) provides tools that automatically identify misconfigurations in your internet-facing systems. Every scanning vendor is different, so it is important to find the right one for your business!

PCI Compliance Tip 10: Use Secure Payment Terminals

One way to guarantee better protection for your business is to use secure payment terminals and experienced professionals. The PCI Council approves payment terminals that protect PIN data. The List of PCI Approved PTS Devices lays out the proper payment equipment that provides the best security.

You must also be sure that the person installing your payment system has been trained well. With any service provider, they should be PCI DSS compliant to help you manage and process your transactions safely.

PCI Compliance Tip 11: Install a Firewall

The internet is a great resource tool, but it can also be a dangerous one if you’re not careful. The internet is the main way data thieves can attack and steal your customers’ card data. Therefore, anything used for card payments needs extra protection if your business is on the internet.

This protection is best implemented by using a firewall. A firewall is software that acts as a middleman between the internet and your payment system. This buffer-like software keeps hackers and dangerous activity away from your payment systems, e-commerce website, and your card data.

PCI Compliance Tip 12: Make your data useless

Your data is vulnerable, and the best way to prevent criminals from accessing it is to encrypt or destroy it completely. You should work with your payment vendor or provider to encrypt all card data that is going to be stored or sent out. This way you can sleep well at night knowing that your card data is safe and secure even if a criminal gets their hands on it.

Accepting payments face-to-face with a payment terminal requires a well encrypted payment system. A payment terminal includes a device that accepts a card number with a swipe, insert, tap, or manual entry. These devices are a Point-of-Sale (POS), credit card machine, or EMV/chip enabled terminal. The PCI scope includes the entire process for collecting credit card payments. A stand-alone payment terminal, an electronic cash register, or other devices connected to a payment terminal are part of this process.

Therefore, payment terminals that are PCI-listed P2PE include the best assurance about the quality of the encryption.

Gulf Management Systems Logo - Accept ACH Payments

Why GMS?

Schedule a Payment Consultation

Book Now

Experience

GMS has over 30 Years of Payment Experience. It's safe to say we are your payment experts!

Powerful Tools

We offer powerful software and payments tools customized to fit your unique business model.

Save Money

Stop over-paying for software and payments! Lower your operational costs with GMS.

; ;