If a business, large or small, is responsible for collecting or processing any cardholder data, it needs to follow the Payment Card Industry’s compliance regulations to ensure customers’ data is secure. Here are four steps you as a small business owner can take to get started with understanding the ins and outs of PCI Data Security Standard (PCI DSS).
First, many small merchants may not understand or be able to evaluate their PCI compliance needs on their own. One of the first places a small business merchant should visit is the PCI Security Standards Council’s website (https://www.pcisecuritystandards.org). According to the website, “…they are responsible for the development, management, education, and awareness,” which will help businesses unfamiliar with the PCI compliance assessment process get a better grasp of regulations.
Second, it will help simplify the process if a business knows what level merchant they are (from Level 1 to 4). For example, a Level 4 merchant is any business processing less than 20,000 e-commerce transactions and less than 1,000,000 other transactions per year. This Level, which may be typical of a small business, is responsible for an annual PCI self-assessment questionnaire and a quarterly network scan by an Approved Scanning Vendor (ASV). More information about merchant levels can be found at PCI DDS 101.
Third, it is important for merchants to understand there is potentially a very high cost for not being PCI compliant. With any breach of cardholder data while non-compliant, there could be costs involving investigation, chargebacks for fraudulent transactions, compliance audits, fines, and potential legal liabilities – just to name a handful.
Finally, not only is achieving PCI compliance a preventative measure and acts somewhat like an insurance policy, but it also reassures potential customers that their data security is a priority. With public awareness about consumer identity theft at an all-time high, this is an opportunity to show your customers they are valued. Once you become PCI Compliant, or if you already are, advertise it—whether on your website, in your storefront, or in your invoices. Your customers will be at ease to know it.
Following PCI guidelines will point you in the direction of understanding business security objectives, finding technology to work for the business, putting secure workplace policies in place, and monitoring those policies on an ongoing basis.
Consider acquiring a merchant account and becoming compliant with PCI DSS a cost of business and a lifecycle, not a nuisance or a final destination. The benefits of upgrading practices and systems to be PCI compliant outweigh the costs if precautions are not taken. While some smaller merchants may be worried about the expenses of upgrading their hardware, software, and security, investing in meeting the proper regulations in the beginning could prevent headaches and empty pockets in the end.