Understanding PCI Compliance for small businesses
PCI compliance is often seen by small businesses as a confusing and unpleasant requirement. But, a requirement it definitely is and is very necessary to protect small businesses and prevent legal problems and severe penalties. PCI compliance is necessary for any company that accepts credit or debit card payments. This means that even very small businesses such as those run by only one person may need to show PCI compliance. Some very simple PCI compliance training can quickly sort out these problems for small businesses.
Here are the basics to get started with some do it yourself PCI compliance training:
Find reliable information PCI security standards are run by the PCI Security Standards Council. They provide basic information regarding the standards, which differ depending on the size of the business and credit card brands (Visa, Mastercard, etc.). The definitive source of information is the PCI website and it's section for merchants (https://www.pcisecuritystandards.org/merchants/index.php)
Find help Small businesses can look for help from the company that processes their credit card transactions for tips and advice on making sure security standards are met. They can often recommend tools for managing PCI compliance as well as help you figure out if you’re meeting the standards. Sometimes a compliance contractor (or "QSA") can be a good option for small businesses, but it’s important to find the right one. You may also be able to learn the ropes yourself with a bit of PCI compliance training as this compliance must usually be renewed annually, meaning that once you’ve done it once, it’ll just get easier. However, compliance regulations do change, so it’s important to keep on top of new developments and check for updates occasionally.
Know who to hire Of course it’s good to know that you can find solutions on your own as some businesses only refer you to another because they get commission or there is a business relationship there. What you do need to do is assure that any PCI scanners need to be approved by the PCI council. When looking to use a website for credit card charges, be sure the web host understands PCI and can help you meet the standards.
Don’t store credit card details - ever! If you credit card data again, try using an eCommerce system that tokenizes the numbers after the card has been entered - you cna then use this "token" to charge to card on a recurring basis, say for a gym subscription. This will avoid problems such as having the numbers stored on your network or in your office as this causes more complicated security concerns and in turn more protection measures such as data encryption. Other security measure such as physical access may be necessary if any credit card data is stored in your business. This can end up being costly and complicated to manage.
It’s up to you If you’re working with a processor and they don’t require any PCI forms to be turned in ask for them anyway - they may not be providing you with accurate information. Ultimately, you’re responsible for complying and will be held responsible if you aren’t.