Sue Poremba, contributing writer to Business News Daily, interviewed security experts on why PCI compliance is a concern for small businesses. Here are the tips we offered on how to stay PCI compliant:
- Identify all business and client data, including any cardholder data, its sensitivity and criticality. Correctly defining the scope of assessment is probably the most difficult and important part of any PCI compliance program. An overly narrow scope can jeopardize cardholder data, while an overly broad scope can add immense and unnecessary cost and effort to a PCI compliance program.
- Understand the boundaries of the cardholder data environment and all the data that flows into and out of it. Any system that connects to the cardholder data environment is within the scope of compliance and, therefore, must meet PCI requirements. The cardholder data environment includes all processes, technology, and people who store, process, or transmit customer cardholder data or authentication data, as well as all connected system components and any virtualization components, like servers.
- Establish operating controls to protect the confidentiality and integrity of any cardholder data. Cardholder data should be protected wherever it is imported, processed, stored and transmitted. It must also be properly disposed of at the end of its life span. Backups must also preserve the confidentiality and integrity of cardholder data. Additionally, all media must be properly disposed of to ensure the continued confidentiality of the data. Be sure to include not only the hard disks used by company-owned computer systems but also leased systems and the storage included in modern copy machines and printers.
- Have an incident response plan in place. When a security incident occurs, it’s important to have a plan to return to secure operations as quickly as possible. This plan should define roles, responsibilities, communication requirements and contact strategies in the event of a compromise, including notification of the payment brands, legal counsel and public relations. This will ensure timely and effective handling of all compromised situations. Ideally, companies should have a certified forensics specialist on retainer who can gather evidence and testify as an expert witness if necessary.
- Explain and enforce security procedures. You can never be sure that employees understand best security practices and behaviors that can put your business at risk. It is up to you to make sure everyone within the company, from lower-level employees to IT specialists to management, is educated on security procedures and PCI compliance procedures.
To read the entire article, click here.