A sizable most of companies within the U.S. are thought medium and small sized companies (SMBs). Most SMBs don’t process anymore than 20,000-1,000,000 (some significantly less) transactions each year, categorizing them as Level 4 retailers within the PCI world.
For individuals individuals which have read my article on merchant risk levels, you’ll realize that Level 4 may be the cheapest tier, thus requiring minimal work load for compliance. It is also probably the most vulnerable tier for hackers….go figure.
Within this guide, I will take you step-by-step through what you ought to do in order to become compliant and also the basics of small merchant PCI compliance. I attempted to help keep it as little as possible, although not confident that I been successful. 🙂
For Retail (Card-Present) Retailers
Scan The Body
Most charge card processors require proof that you’ve scanned the body for security threats, otherwise they’ll ask you for a regular monthly PCI non-compliance fee. So, make certain you comply with the other steps below, then get scanned when you are ready for this. I’ve partnered with Trust Guard, so I’m clearly likely to recommend that you will get the body scanned by them, but it’s your call. There are many others available that provide checking services. From what I have seen, Trust Guard is pretty legit though.
Go ahead and take Self-Assessment Questionnaire (SAQ)
I discuss the SAQ within my other PCI article, but because a short overview, the self-assessment questionnaire provides you with a fundamental concept of what needs you have to follow in order to be PCI compliant. The SAQ will most likely reiterate exactly what I’m suggesting now, however that doesn’t mean that you could skip it. Similar to the system scan, most processors require that you simply go ahead and take questionnaire, otherwise they’ll assess a non-compliance fee.
Now, adopt these measures:
1. Only use PCI approved PIN transaction security devices (i.e. PIN pads).
By “device” I am talking about PIN pads and charge card terminals. Visit here to find out if your present system is compliant. Otherwise, it’s time for you to upgrade.
2. Only use PCI validated POS (Point-of-Purchase) & payment gateway software.
Visit here to find out if your present software programs are validated. Otherwise, it’s certainly time for you to upgrade. Here’s the right place to locate POS hardware/software, and every one of my best charge card processors offer payment gateways which are PCI compliant.
3. Don’t store any sensitive cardholder data.
As a small company, it’s very easy to ignore that. I recall writing lower charge card information on a notepad later on reference, without realizing how large of the security risk that really was. So, whether in writing or perhaps your hard disk, don’t store any cardholder data. If you are worried that perhaps your charge card terminal or PIN pad is storing card data, just bear in mind that newer equipment either doesn’t keep data, or encrypts it. So, in case your devices are PCI compliant, you will want not worry.
4. Make use of a firewall in your network and Computers.
This one’s pretty easy. Most os’s include some kind of security package with a firewall. Just make certain that you simply regularly determine if it is working, and also you update it if required. Should you not possess a firewall, Norton is fairly good.
5. Make certain your router is password-protected and uses file encryption.
Another easy one. Your router’s instructions will take you step-by-step through the entire process of password protecting and encrypting the router.
6. Use strong passwords. Make sure to change default passwords,
This can be a no-brainer. I personally use password generator to make me some fast and secure passwords. Never make use of the default password for just about any software or hardware.
7. Regularly check PIN entry devices and Computers to make certain nobody has installed rogue software or “skimming” devices.
This is when the machine network scan is useful. Your average person doesn’t really understand how to look for this sort of stuff, so using a company like Trust Guard, you can easily depend on their own expertise.
8. Educate the employees about security and protecting cardholder data.
Don’t get lazy about this one. I’ve got a couple of articles within my PCI Compliance category, so that you can refer the employees for them. You might also need lots of sources when you need it so remember to apply your favorite internet search engine.
For eCommerce (Card-Not-Present) Retailers
Follow each step within the list above (expect for #1. You clearly won’t possess a PIN pad or charge card terminal if you are strictly eCommerce.), and also the following:
Have an SSL Certificate
An SSL certificate helps to ensure that any sensitive data transmitted through your site is encrypted in order to safeguard that data. An apparent place that you’d make use of an SSL could be on the payment page during checkout. There’s a lot of SSL vendors available, but when you’re getting the body scan at Trust Guard, you very well may too get your SSL with them also. 😉
One factor that I’d like to indicate is the fact that a there’s a couple of payment gateways available that may alleviate your PCI needs almost completely. The actual way it works is they possess a feature that enables you to definitely conduct the whole transaction around the providers own servers, not yours. This way, your personal network isn’t even active in the transaction, thus absolving you against the necessity to conserve a secure network. Check out the CDGcommerce instant PCI page to determine what i’m saying. They perform a better job of explaining it than me.
You may also go to the Small Retailers page around the PCI Security Standards Council website for more information on PCI compliance for small company.