How to Make Sure Your Business is Up to Snuff with PCI Certification
Think PCI certification doesn’t apply to you because your business is small to mid-sized and processes only a few dozen credit card transactions a month? Unfortunately, you’d be wrong. PCI compliance applies to any organization or business that accepts, transmits or stores any type of sensitive cardholder data. The size of your business and your transaction volume don’t matter in the eyes of the PCI council; they’re just concerned that you’re committed to securing sensitive data.
Goals of PCI data security
Achieving and maintaining PCI certification is critical if you want to continue to accept credit card payments and grow as a successful, respected business. The many goals of PCI data security include:
- Building and maintaining a strong network
- Protecting sensitive cardholder data, including card numbers, full names, expiration dates and CVV codes
- Maintaining a vulnerability management program to ensure your business is protected on an ongoing basis
- Implementing strong access control measures so only those employees who absolutely need sensitive data to perform their job duties can access it
- Regularly monitoring and testing networks—and then making improvements as needed
- Maintaining an Information Security policy to make sure everyone at your company is on the same page when it comes to PCI compliance
3 simple steps to compliance
Broken down simply, there are three steps that your company should take to make sure you have achieved PCI certification. The three steps to become PCI compliant are:
- Assess. Analyze the following: the scope and breadth of sensitive cardholder data that your company currently stores on your systems, and an inventory of IT assets and business processes that you use for card processing. Then, analyze these processes for vulnerabilities that might exist and that fraudsters could use to gain unauthorized access. Taking the self-assessment questionnaire from the PCI Security Standards Council is a great way to understand how your business is currently handling and protecting sensitive data.
- Remediate. This is the step in which you actually fix your compliance issues. You will do so by fixing any system or process vulnerabilities that your assessment uncovers, as well as eliminating the storage of cardholder data unless absolutely necessary. This includes tightly restricting individual access to data to only those employees who have a documented need for access to complete their job functions.
- Report. Once you have corrected vulnerabilities and data storage problems you may have had, it’s time to send your PCI reporting to the appropriate acquiring banks and card brands. The required reports vary by bank and card network, so make sure to check with each institution to ensure you’ve got the correct reporting ready to go.
Your payment processing provider should be able to help you understand PCI compliance and make sure your business achieves and maintains certification. If you have serious PCI concerns, consider partnering with a PCI Council-approved Qualified Security Assessor (QSA). QSAs are certified in PCI compliance and data security, and will come to your site to ensure you have met the requirements. Here’s how a QSA can help:
- Be present on-site at your offices, locations or other facilities throughout the PCI assessment process, as needed
- Provide support and guidance throughout the compliance process
- Verify all technical information that you have provided
- Use their expertise to validate that you’ve met the PCI standards
- Adhere to the assessment procedures of the PCI Data Security Standards (DSS)
- Write and submit the final Report on Compliance for the acquiring banks and card brands
Check out the full list ofPCI Council-approved QSA companiesfor help with securing assistance in your area.
At Your Fingertips
It's a big job to buy the perfect POS System. This is a robust guide to get you equipped to ask all the right questions to potential providers.
Choosing a POS can be complicated. Use this cheat sheet to narrow your search and find the right point of sale system.