The key is to make sure your business is PCI DSS compliant. Why? First, PCI compliant businesses rarely, if ever, have been successfully hacked. Second, if your business is sucessfully hacked, you are not liable for any fines or charges (except possibly audit fees).
Here’s how to make your business PCI DSS compliant.
Know the Requirements for PCI DSS ComplianceYou need to know what you have signed up for and what is required for your business to be compliant. If you don’t, you won’t know what steps you need to take in order to secure your business.
PCI Compliance Is More Than Transaction Compliance
There are two main types of PCI compliance, environment (network) and transactional. Many businesses purchase a PCI DSS compliant POS system and think that they are compliant. In reality, this kind of compliance relates only to credit card transactions and not to your business environment/network, which must also be PCI compliant. The network environment in which your POS equipment resides is just as important an aspect of PCI compliance as your transaction system.
A detailed list of all compliance areas can be found at PCI’s Quick Reference Guide. PCI’s quick and dirty list is as follows:
- Buy and use only approved PIN entry devices at your points-of-sale.
- Buy and use only validated payment software at your POS or website shopping cart. Click here to see a list on their website.
- Do not store any sensitive cardholder data in computers, receipt printers, or on paper.
- Use a firewall on your network and PCs.
- Make sure your wireless router is password-protected and uses encryption.
- Use strong passwords (a mix of upper and lower-case letters, numbers and special characters). Be sure to change default passwords on hardware and software – most are unsafe!
- Regularly check PIN entry devices and PCs to make sure no one has installed rogue software or “skimming” devices.
- Teach your employees about security and protecting cardholder data.
- Follow the PCI standard. See below.
- Assess – identifying cardholder data, taking an inventory of your IT assets and business processes for payment card processing, and analyzing them for vulnerabilities.
- Remediate – fixing vulnerabilities and not storing cardholder data unless you need it.
- Report – compiling and submitting required reports to the acquiring bank and card brands you do business with.
Take The Necessary PCI Compliance StepsThere are two main ways to make your business more secure and PCI DSS compliant
- Hire a PCI DSS Qualified Security Assessor (QSA)
Hiring a PCI DSS QSAPCI SSC certified QSA’s are organizations who have been qualified by the PCI Council to assess compliance to PCI DSS standards. QSA’s perform data security assessments, make recommendations, and provide certification. Hiring a QSA will save you the time it would take to do the research yourself and will also give you peace of mind that the job was done right.
The big downside to hiring a QSA, is cost. You have to pay the QSA fees, which are generally quite expensive. One quote I checked on, charged a base $5,000 fee plus $200 for every hour. On top of that, you have to pay for the equipment/software to fix whatever problems the QSA finds, which is also costly.
Here is a list of PCI certified QSA companiesHere is a guide concerning what to look for in a PCI DSS QSA
Do-It-YourselfFiguring out PCI DSS compliance for yourself can seem a daunting task. However, just because you’re not hiring a QSA does not mean it cannot be done or that you have to do it without help.
Here is how to do it
- Educate Yourself
- Secure your Payment Network
- Use a Security Software that Tests for Vulnerabilities
- Fill out and turn in your PCI DSS Self-Assessment Questionnaire
Educate YourselfThis has already been generally addressed above. Here is the link again for the quick reference PCI DSS compliance guide. Although it is a bit rough to get through, it is only 33 pages and is important to read if you plan on monitoring PCI DSS compliance for yourself.
Secure your Payment NetworkSimon recommended 3 main action steps every small business can take to make their network more secure and compliant.
1. Install a Proper FirewallA proper firewall protects hackers from stealing information from your business.
We recommend Mako Networks, which offers a secure and PCI DSS compliant payment network, complete with firewall, starting at around $80/month. Check out their distributor list to find a reseller near you.
2. Have a separate network for payment servicesSeparating your payment network from your other business networks means hackers cannot access sensitive card data from anywhere in your general business network. Instead, they have to hack your payment network specifically, which with the proper firewall in place will make their task much more difficult.
3. Change Usernames and Passwords every 90 days or so on all access pointsMake sure you change default usernames and passwords as soon as you can, because they are rarely secure. Then, change usernames and passwords every 90 days. Most network providers have their own how-to document available detailing how to do this. Here is a general guide to changing your
wireless network password.
Use a Security Software that Tests for VulnerabilitiesThere are various software options available that test your network and payment terminals for breach vulnerability and PCI security compliance. Check with your payment processor first, some offer free PCI DSS testing software as part of their package.
If you do not already have access to a PCI Security Software, we recommend Control Scan Inc’s PCI 1-2-3. This software gives the small business owner real-time access to the most up-to-date PCI compliance rules. It also conducts vulnerability scans, providing reports and detailed instructions to secure any weak areas. Cyber security training for employees is also included. PCI 1-2-3 costs $250/yr plus an additional $100 per extra IP address.
Bluepay, our recommended merchant services provider, has a partnership with Control Scan, giving their clients access to PCI compliant testing at no additional charge.
Fill Out Your PCI DSS Self-Assessment SheetTo be PCI compliant, small businesses are required to fill out an annual PCI DSS Self-Assessment sheet. This sheet is a do-it-yourself checklist to determine compliance. Instructions and the link to complete this self-assessment questionnaire can be found on PCI’s self assessment forms page.
What to Do if You Suspect You Have Been BreachedIf your computers are unusually slow, one has been tampered with, or you are locked out of various accounts for no reason, it is possible you have been breached. A more comprehensive guide to determining and dealing with a possible breach is available on Visa’s website.
If you suspect a breach, here is what you need to do.
- Report the Breach to Your Payment Processor/Merchant Bank
- Check State Disclosure Regulations and Alert Local Law Enforcement
- Comply Fully with any PCI DSS Audit
Report the Breach to Your Payment Processor/Merchant BankIf you suspect a breach, contact your payment processor or merchant bank and let them know that a possible security breach has been detected. They will then go over protocol and determine what should be done.
Check State Disclosure Regulations and Alert Local Law EnforcementCheck your state’s regulations to see who you are supposed to inform. In most cases, you must let customers know that there has been a possible security breach, usually in writing.
Generally, you also should alert your local law enforcement agency. Check with your legal advisor and/or your payment processor to be sure.
Comply Fully with any PCI DSS AuditYour payment processor or their bank normally initiates a PCI DSS Audit. If you are notified of an upcoming audit, gather all of your information related to PCI Compliance an have it ready for the inspectors when they arrive. You want the audit team to be assured that you are on-board for full-cooperation. This will make the process much smoother, getting your business back up and running as quick as possible. Full-compliance also communicates that you have nothing to hide.
The audit team comes in and checks to see if, how, and where a security breach has occurred. They also determine whether or not your business was in-fact compliant with PCI DSS requirements. You will probably have to pay the audit fees. But, if you do meet PCI DSS requirements, you are not responsible for any fines, credit card replacement fees, or fraud refunds.