Accepting Credit Cards? PCI Compliance a Concern For Small Businesses

Sue Marquette Poremba, Business News Daily Contributor   |   March 20, 2014 12:59pm ET

Recent breaches against major retailers have put payment card industry (PCI) regulations in the spotlight. However, it isn’t only big companies that need to worry about adhering to these regulations. The rules apply to every business that relies on credit and debit cards for transactions. Even if your business employs four people and it conducts one credit-card transaction a month, it must be PCI compliant.

This is easier said than done. The Verizon 2014 PCI Compliance Report found that most companies struggle to meet the PCI Data Security Standard, the set of regulations created to help keep credit and debit card data safe and secure. According to Computerworld, more than 82 percent of companies were compliant with only about 8 in 10 of these requirements at the time of their annual assessments, and needed several months to close the gaps. In addition, only 11.1 percent of businesses maintain their compliance status between assessments.

Being PCI compliant is non-negotiable if you accept credit and debit cards, but preparing for a PCI audit and ensuring that your company does meet compliance standards can be daunting. Jeff VanSickel, senior consultant at IT compliance consulting firmSystemExperts, provided a few tips to prepare for a PCI assessment, and to keep your standards at secure levels at all times.

1. Identify all business and client data, including any cardholder data, its sensitivity and criticality. Correctly defining the PCI Scope of Assessment is probably the most difficult and important part of any PCI compliance program, VanSickel said. An overly narrow scope can jeopardize cardholder data, while an overly broad scope can add immense and unnecessary cost and effort to a PCI compliance program.

2Understand the boundaries of the cardholder data environment and all of the data that flows into and out of it. Any system that connects to the cardholder data environment is in scope for compliance, and therefore must meet PCI requirements. The cardholder data environment includes all processes and technology as well as the people that store, process or transmit customer cardholder data or authentication data, as well as all connected system components and any virtualization components, like servers.

Link to article.