PCI Data Security Standards
First, as a new business accepting credit cards, it is imperative to understand that you are subject to the scope of the PCI Security Standards Council (PCI).
The PCI offers assessments to your business, as well as compliance information. The size of your business determines the specific compliance requirements, and usually the bank or payment brand advises on the required PCI Data Security Standard (PCI DSS) validations. Enforcement of merchant compliance is not managed by PCI, but rather by the individual payment brands. Annual completion of the compliance assessment may even be required by your bank.
Annual Testing – There are common areas where businesses fail to comply with PCI DSS. The first area is annual testing by a qualified tester, which testing must include network and application layer evaluations. This testing must also be performed after any significant change to your network environment. Note that a new version of PCI DSS, which updates penetration testing requirements, went into effect June 2015.
Quarterly Scanning – If your business makes significant network changes, then you must perform a quarterly scan, fix any identified gaps and re-scan until the vulnerability is repaired and clean results are obtained. During this process, recordkeeping is required. Your business must maintain records of each scan and re-scan, and it must provide four passing quarterly scans for the prior year.
Timely Implement Patches – Critical security patches are required to be implemented within a month of their release date. Vendor supplied patches require coordination and testing and can be time-consuming, but correcting known gaps with patches provides a security control. To assist your business in managing this common source of breaches, consider adopting automated configuration management software.
Ongoing Compliance – Consider compliance as an on-going process in your business environment. Ongoing compliance testing and monitoring will assist your business in maintaining a robust compliance program. Remember, also, that compliance does not only involve your company. Be sure to also check the compliance status of your current payment processing provider.
In addition to adhering to PCI Standards, there are additional considerations for small business owners to safeguard their customers’ credit card data.
Other Considerations – If your business stores customer credit card data, you can take extra steps to safeguard sensitive information by using a private network or cloud-based storage, as well as ensuring the data are encrypted. Be sure to also regularly back up the data by using backup software, in addition to traditional storage, such as external hard drives.
Consider creating and implementing a company policy setting out the handling of customer credit card data. Perhaps you could implement the use of unique employee PINs to track sales and refunds, and train your employees in the proper handling of credit card transactions and what to be aware of in case of a potential fraud situation.
These are just some of the main steps you can take as a small business owner to protect your customers’ credit card data and to engender customer trust and confidence.