Accepting Credit Cards? PCI Compliance a Concern for Small Businesses

Recent breaches against major retailers have put payment card industry (PCI) regulations in the spotlight. However, it isn’t only big companies that need to worry about adhering to these regulations. The rules apply to every business that relies on credit and debit cards for transactions. Even if your business employs four people and it conducts one credit-card transaction a month, it must be PCI compliant.

This is easier said than done. The Verizon 2014 PCI Compliance Report found that most companies struggle to meet the PCI Data Security Standard, the set of regulations created to help keep credit and debit card data safe and secure. According to Computerworld, more than 82 percent of companies were compliant with only about 8 in 10 of these requirements at the time of their annual assessments, and needed several months to close the gaps. In addition, only 11.1 percent of businesses maintain their compliance status between assessments.

Being PCI compliant is non-negotiable if you accept credit and debit cards, but preparing for a PCI audit and ensuring that your company does meet compliance standards can be daunting. Jeff VanSickel, senior consultant at IT compliance consulting firm SystemExperts, provided a few tips to prepare for a PCI assessment, and to keep your standards at secure levels at all times. [The Best Credit Card Processing Services]

1. Identify all business and client data, including any cardholder data, its sensitivity and criticality. Correctly defining the PCI Scope of Assessment is probably the most difficult and important part of any PCI compliance program, VanSickel said. An overly narrow scope can jeopardize cardholder data, while an overly broad scope can add immense and unnecessary cost and effort to a PCI compliance program.

2. Understand the boundaries of the cardholder data environment and all of the data that flows into and out of it. Any system that connects to the cardholder data environment is in scope for compliance, and therefore must meet PCI requirements. The cardholder data environment includes all processes and technology as well as the people that store, process or transmit customer cardholder data or authentication data, as well as all connected system components and any virtualization components, like servers.

3. Establish operating controls to protect the confidentiality and integrity of any cardholder data. Cardholder data should be protectedwherever it is imported, processed, stored and transmitted. It must then be properly disposed of at the end of its life span.

“Backups must also preserve the confidentiality and integrity of cardholder data,” VanSickel added. “Additionally, all media must be properly disposed of to ensure the continued confidentiality of the data. Be sure to include not only the hard disks used by company-owned computer systems but also leased systems and the storage included in modern copy machines and printers.”

4. Have an incident response plan in place. When an incident occurs, it’s important to have a plan to return to secure operations as quickly as possible. This incident response plan should define roles, responsibilities, communication requirements and contact strategies in the event of a compromise, including notification of the payment brands, legal counsel and public relations. This will ensure timely and effective handling of all compromised situations.

“Ideally, companies should have a certified forensics specialist on retainer who can gather evidence and testify as an expert witness if necessary,” VanSickel said.

5. Explain and enforce security procedures. You can never be sure that employees understand security best practices and other behaviors that can put your business at risk. It is up to you to make sure everyone within the company, from lower-level employees to IT specialists to management, is educated about security procedures and PCI compliance procedures.

The moment your customer hands over a credit or debit card, you become responsible for keeping the data associated with that card secure. While the above steps are primarily meant to prepare you for a PCI audit, they will also provide a safety net in between assessments. For more information, visit

Originally published on Business News Daily