An Overview Of PCI Compliance For Small Businesses

Are you a small business that has an online presence? Do you store credit card information from your customers? Have you been asked if you are PCI or DSS (Data Security Standard) compliant? You must be compliant with these new standards to assist in tightening online security for Internet shoppers. Businesses not cooperating can be charged a substantial fine and also could be banned from accepting credit cards of any kind for customer transactions. Security problems may seem to happen only to huge businesses, such as the well publicized TJ Maxx customer accounts security breach last year, but in reality, cardholder data security problems affect small businesses owners as well. The PCI DSS standard has been designed to promote security awareness and to help implement strong security measures for all businesses, regardless of size.

A security standards organization called the PCI Security Standards Security Council was formed in 2006 to find means for prevention. PCI is the common name used to describe the Payment Card Industry. This group consists of all the major payment card companies including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. This Security Council originally focused on large corporations that process over six million transactions yearly -these merchants are referred to as ‘Level One’ merchants. In 2008, this group changed its focus to Level Four merchants. A Level Four merchant is an online business doing 20,000 or less transactions yearly. These businesses are the large majority within the small business segment. If your business falls into this group, at a minimum you will be required to complete an annual PCI Self-Assessment Questionnaire and possibly a quarterly network scan. You may also be required to authorize your payment processor to do a security scan of your business.

For level 4 merchants, its easy to get started with PCI. Download the self assessment questionnaire and fill it out completely. Answer the questions honestly and be prepared to address any shortcomings that you find in your business procedures. Next, sign up for scans from one of many Approved Scanning Vendors, or ASVs. It is critical that the vendor you choose be on the list of PCI-approved ASVs. These automated scans will probe your online presence for well known mis-configurations and vulnerabilities.

Alternately, a number of firms now offer a PCI package that includes guides to help you implement PCI standards. ScanAlert is one such service. The package includes an online form that the business owner can fill out and interactively answer questions about the business environment. The service can also schedule quarterly network scans and report on any issues found. With this package, remediation steps are linked to each item found during the audit.

Proof of PCI compliance may be required by a merchant’s processor. The merchants themselves are required to comply, even if the reports are not required by the processor. Fortunately for small business owners, merchant compliance is becoming easier as tools have arrived to help facilitate the compliance process.