Don’t Ruin Your Business by Accepting Credit Cards Without Being PCI Compliant!

Running a business of any kind means accepting payments, often via credit card. Because thieves target these transactions, you and your customers are at risk. How much? Credit card theft cost U.S. consumers $16 billion in 2016. Making payments safe for consumers is crucial for your business reputation. As a business owner, you need to protect your customers’ financial information. Payment Card Industry Data Security Standard (PCI DSS) compliance is your solution.

PCI DSS represents a set of security standards designed to prevent credit card theft. Compliance shows that you are taking all reasonable steps to protect your customers. These include processes to prevent, detect, and react in case of data breaches.

Do you need it? Most major credit card schemes require PCI compliance. For example, Mastercard, Visa, American Express, Discover, etc., all need it. For this reason, everyone who accepts credit cards must be PCI compliant. And, while the primary goal of PCI DSS is protecting customers, it also protects you.

IBM research shows that data breaches cost businesses an average of $141 per lost record in 2016. Businesses also have a 28% chance of experiencing a data breach. If you are not PCI compliant, you and your customers are at risk. You could also be liable for data stolen from Point of Sale (POS) systems on your premises.

What Does PCI Compliance Entail?

PCI compliance involves 2 factors; secure Point of Sale and secure business practices.

If you have PCI compliant POS solutions, you need to meet 12 requirements for PCI compliance.

1. Integrate antivirus software
2. Create secure network systems and applications
3. Update security standards, passwords, etc., to secure standards
4. Take steps to protect data
5. Use encryption on open and public networks
6. Restrict digital access to cardholder data
7. Generate unique identification for employees to track liability
8. Restrict physical access to cardholder data
9. Track access to networks and computers with cardholder data
10. Test and maintain security systems and standards
11. Create a security policy for all employees
12. Use secure hardware

Implementing these standards will enable you to mitigate data breaches.

Applying for PCI compliance requires 4 primary steps. These include different processes depending on your business setup and size. You can choose to handle everything yourself to save costs. You may also hire a Qualified Security Assessor to do the work for you.

Complete the Self-Assessment Questionnaire

In most cases, you can submit a self-assessment questionnaire to achieve PCI compliance. There are 9 Self-Assessment Questionnaires designed for different types of businesses. The questionnaires include 20-100+ questions and an Attestation of Compliance form. Some businesses need a Designated Entities Supplemental Validation from a Qualified Security Assessor. You may also need an independent review of your business by an Approved Scanning Vendor.

Determine Your Compliance Level

PCI compliance level represents the security risks your business faces. It changes based on how many transactions you handle per year. Different banks and credit card companies use different standards.

Submit Documents

After you fill out documents, submit them to your bank or payment solution.

Review

You may need an independent validation of compliance. Here, a Qualified Security Assessor will review your business on a yearly basis. If you do not need the independent validation, the Self-Assessment is enough.

Choose a PCI Compliant POS Solution

Most small and medium businesses use systems and services from third-party suppliers. Unfortunately, not all vendors and suppliers offer PCI compliant POS solutions and processes. Many small businesses own older POS systems that are no longer PCI compliant. For example, an old system might store magnetic stripe data. It might also store CVV2 or PIN data which is also a risk.

A secure POS system includes:

• Secure hardware
• Secure cables and connections
• Data encryption
• Antivirus
• Anti-SSL Sniffing
• Keylogger protection
• Remote takeover prevention
• Hard drive protection

POS solutions should be individually PCI compliant. But, if you accept payments through an application, you need to ensure that it is PCI compliant too. If you accept credit cards at your store, the direct point of sale must be compliant as well. Finally, your server and network must be compliant as well.

PCI compliant software and hardware are Validated Payment Applications, and can be bought through POS solutions providers like POS.com.

Purchasing a secure POS system is only the first step to ensuring that you are PCI compliant. You also need strict security standards for your business. Companies with a large internal IT department can handle this on their own. If you don’t have that, we at Exigent can help set up and manage security standards for you. See our IT security services.

PCI compliance requires you to:

• Use security protocols for your network
• Secure remote and wireless access
• Use antivirus software
• Install a firewall
• Control physical access to servers
• Restrict digital access to information

PCI compliance can be time consuming and may be expensive. You may be hesitant to replace your POS hardware, but it can save you money. Losing customer information puts your business at risk. A data breach can be costly. It can also affect your reputation, your ability to accept credit cards, and even your ability to stay in business. Ensuring that you are PCI compliant will protect your business and your customers.