PCI Compliance for small businesses – Keep It Simple

The PCI-DSS were not pulled out of the air or specifically written up to drive merchants crazy. They are all based on security standards that have been around for years with updates as technology has evolved. PCI Compliance requirements on the surface can be intimidating if you don't have a large Tech Support team and a rather large bankroll. There are however ways to insure your environment is compliant without breaking the bank.

KEEP YOUR ENVIRONMENT SIMPLE – the simpler the environment, the easier the Compliance Standards are to meet.

• Purchase authorized PIN and Credit Card devices from your bank. Ensure they are PCI Compliant.
  
• Don't store customer data in your environment. This doesn't mean don't have a marketing mailing list. This means don't include any customer financial data.
  
• Use commercial products for your POS system that are certified PCI Compliant.
  
• Trust your employees, but verify. DO background checks to insure you're not hiring an individual who shouldn't be trusted with someone else's personal information.
  
• Only allow access to customer data to those employees who have a definite business need.
  
• Purchase and maintain antivirus and malware software for all pc's (and servers) in the environment.
  
• Use Windows Update and apply security fixes. Same for other operating systems. They too get hacked.
  
• Don't browse social media sites on your work pc. (This may be considered overkill by some but if you flat don't allow it in the first place, you don't have to potentially worry about a Trojan getting through your virus protection).
  
• Use individual logons for all employees. This makes a trail to troubleshoot potential misuse much easier.
  
• Find vendors who will partner with you, regardless of your small size, to help you maintain your environment. Insure THEY are security minded and compliant.
  
• Write some basic policies and procedures and have employees sign-off that they have read them and understand them. (Core policies and procedures are available that you can fit to your environment).
  
• Turn on Windows Firewall.
  
• Purchase a warranty on your hardware. (This goes to recovering from a disaster and environment stability).
  
• Back up your data. You can purchase an external hard drive from many vendors for under $200 in a lot of cases. Windows has a built-in backup program. You don't have to purchase additional software.
  
• Follow basic security rules published by vendors such as Microsoft. They have security baseline documentation that will guide you into creating a more secure environment.
  
• Fill out your self-attestation paperwork and provide it to your merchant bank.
  

 

None of these recommendations are expensive nor should they drive any Mom-and-Pop-sized shop out of business. Best of luck.