If you think your Small-to-Mid Sized Business (SMB) is PCI DSS Compliant, think again.

More than 80% of all credit card breaches occur in SMBs

PCI DSS stands for Payment Card Industry Data Security Standard.  It’s a general term for companies like VISA, MASTERCARD, DISCOVERY and AMERICAN EXPRESS, and the rules they establish. Just like large corporations, your small or medium-sized business must comply with PCI DSS rules.

What Does It Mean to Be PCI DSS Compliant?

By adhering to a set of standards set up by the payment card industry that established best practices for businesses accepting payment via credit cards, and for payments in relation to their computers and computer network.

Any business that accepts credit cards whether it be over the Internet, over a terminal, in a store, doctor’s office, etc., must follow these standards.

You must maintain a secure network at all times to prevent security breaches where credit card numbers are released to a hacker.

What Are the Penalties for Non-Compliance?

Fines can range from $50 to $3,000 per card holder per breach. These fines are passed from the credit card company to the Merchant Bank, and then to YOUR BUSINESS. Plus, if you suffer a breach, your business will be subject to a higher level of scrutiny.

Perhaps You’re Thinking:

“My company doesn’t need to store credit card data, so PCI Standards don’t apply to me, right?” 

Wrong: If you accept credit card payments, PCI Standards apply to your business

“My company is very small, so these Standards don’t apply to me.”

Wrong: The PCI DSS applies to any sized business no matter the number of transactions it accepts.

“My business has multiple locations. I shouldn’t have to validate each location, right?”

Wrong: If each of your businesses operate under the same Tax ID, then technically you’re only required to validate once per location annually. However, you do have to submit quarterly or semi-annual network scans for each location.

PCI Data Security Standards are only a recommendation and not a requirement, right?

Wrong: In 2004, the major payment brands formed the PCI Security Standard Council to implement a common set of minimum-security requirements for all merchants. 

How Do I Begin?

Start by Taking These 3 Steps.

  1. Complete a self-assessment questionnaire according to the instructions contained therein, that your merchant bank provides on its website.
  2. Obtain evidence of passing a vulnerability scan. Your merchant bank will have a website that you can use to scan your firewall.
  3. Complete the attestation of compliance in its entirety about your computer network (60 or so questions). Based on the answers, it tells you whether you’re compliant or not.

Then you submit the evidence of passing the scan, and attestation of compliance, along with any requested documentation from your merchant bank. This is typically required annually, or on a 6-month basis.

PCI DSS Compliance is Technical and Complex.

You Must Also Complete the Following 6 Requirements. 

  1. You must build and maintain a secure network to prevent criminals from virtually accessing your payment system and cardholder data. You must also construct and maintain your own firewall and router configuration standards, formalize testing whenever configurations change, and identify all connections to cardholder data, including wireless. You must undergo a review of configuration rule sets at least every 6 months. You must also install personal firewall software on mobile and employee-owned computers with direct connectivity to your network. Plus, never use default passwords. These are widely known and make it easy for criminals to enter your network, including wireless devices.
  2. Protect Cardholder Data if you store it. You must have multiple layers of defense that combines physical and virtual security methods. It’s important to encrypt transmissions of all cardholder data. Never store your pin numbers after authorization, even if they are encrypted.
  3. Maintain a Vulnerability Management Program. Use and regularly update antivirus and antimalware software to protect against the most recently developed malware. This software must complete a Heuristic Scan, and notify you of any virus or malware activity. If your data is hosted on outsourced servers, your MSP (Managed Service Provider) must be responsible for maintaining a safe environment, including generating auto locks. Develop and maintain secure systems and applications. This includes discovering newly identified security vulnerabilities via alert systems. Your PCI hosting provider should be monitoring and updating their systems to accommodate for any security vulnerabilities.
  4. Implement Strong Access-Control Measures. Restrict access to cardholder data by business “need to know.” Limit the number of personnel that have access to it. This will lessen your chance of a security breach. Assign a unique user name and password to each person with computer access. (e.g., The receptionist shouldn’t use the word “reception” as a user name.” Have him or her login with their own unique name, so when they log off and another receptionist takes over on the same computer, you can identify who did what and when.)  User accounts with access should follow the best practices, such as password encryption, authorization authentication, password updates every 30 days, login time limits, etc. Restrict physical access to your important data. If your data is hosted in an offsite location in a data center, your data center provider should have limited personnel access to the sensitive information. PCI Compliant Data Centers should have full monitoring, including surveillance cameras and entry authentication to ensure a secure PCI hosting environment. Ensure all visitors are authorized before entering areas where you have secure data that is being processed or maintained. Give them some kind of token (like a badge) that expires and identifies the visitor as a non-onsite personnel member.  Visitors must surrender the token before they leave the facility, or on the date of expiration. Physically secure all media. Store media backups offsite in a secure location.
  5. Regularly Monitor and Test Networks. Track and monitor all access to network resources and cardholder data. Logging systems that track user activity and stored archives can help you and your hosting provider pinpoint the cause in the event of a security breach or other issue. Regularly test the security systems and processes (once every 6 months or quarter). By doing this, you should be able to assure that your customers’ cardholder data is safe at all times. Secure audit trails so they can’t be altered. Make sure that your logs are “Read Only.” Review these logs for all system components related to secure functions at least monthly. Retain audit trail history for at least one year, and have at least 3 months of history on hand for immediate access and availability for analysis.
  6. Maintain an Information Security Policy. A strong policy sets the tone for security affecting your entire company. It informs employees of their expected duties related to security. All employees should be aware of their responsibility for protecting company data. This not only includes credit card data, but client, patient, or any other sensitive internal company data. Maintain a policy that addresses information security, including acceptable uses of technology, reviews and annual processes for risk analysis, operational security procedures, and other general administrative tasks.

Where Do I Go Next?

There are 3 more steps you should take to adhere to PCI DSS.

  1. Identify your secure data (cardholder data that needs to be secured), and take an inventory of your IT assets and business processes for payment processing and day-to-day utilization of any secure data. Analyze them for vulnerabilities that could expose this data.
  2. Remediate. Fix the vulnerabilities where PCI credit card data is concerned, and unless you really have to, don’t store this data.
  3. Compile and submit required remediation validation records and submit compliance reports to your merchant bank and credit card brands that you do business with. This is something you’ll need to do on a regular basis. (By showing your merchant bank that you are compliant, they may reduce your merchant fees.)

As you can see, there are many things to address where PCI compliance is concerned. And, they are very technical and complex.

This is where a Managed Service Provider comes into play—One who is your IT Partner in computer and network security. The right MSP will hold your hand through this process to ensure your business will always be PCI DSS Compliant.

RCOR Technologies can help.  We’re experts when it comes to PCI DSS Compliance and Network Security. Simply pick up the phone and call (919) 313-9355 or email us at tim@rcor.com and we’ll tell you more.