A Small Business Guide to PCI Compliance

by Pam Baker

PCI compliance can seem overwhelming to small business merchants, but non-compliance puts your business at risk. This guide shows how to ease the process and get started on the path to compliance.

For many small business merchants, PCI compliance is a baffling and expensive exercise. As a result, many small businesses frequently put off dealing with the issue or push it aside entirely. But disregarding the issue is a terrible plan, because doing so can cost you dearly.

"Do not ignore PCI compliance," warns Robert Mangiafico, the CTO at LexiConn Internet Services, a website hosting provider. "The penalties are too severe to not maintain compliance. Think of it as your insurance policy for when a hacker steals credit card information from your system."

PCI Requirements

The PCI security standards are detailed on the official PCI Security Standards Council website. There is even a section set aside for small merchants.  The PCI Security Standards Council also provides a Quick Reference Guide and a list of links to the various card companies for specifics regarding compliance for each card brand, e.g. American Express, Discover, Visa and MasterCard.

However, PCI compliance requirements differ according to merchant level and card issuer. It is important to also check with your card brand's compliance program to make sure that you are meeting all the requirements

Credit cards and PCI compliance

Most merchants fall into the Level 4 merchant status. As defined by Visa, Level 4 ecommerce merchants process fewer than 20,000 Visa transactions annually. Level 4 brick-and-mortar and other physical-realm (none ecommerce) merchants are defined as those that process fewer than one million Visa transactions a year.

You will find the educational website PCI Compliance Guide a helpful resource as well. That website is powered by ControlScan, a provider of PCI compliance and security tools for small merchants and acquirers that service small merchants. ControlScan also did a survey in 2011 to discover why so many small businesses fail to comply with PCI standards. The researchers found an odd duality among Level 4 merchants.

Where Angels Fear to Tread

According to ControlScan's survey, A "Perfect Storm" of Complacency: The Third Annual Industry Survey of Level 4 Merchant PCI Compliance Trends, micro-merchants -- defined as those with 10 or fewer employees -- stubbornly continue to believe that PCI compliance will not protect their business.

The study also found continued ignorance of the Payment Card Industry Data Security Standard (PCI DSS). Of those micro-merchants surveyed, 48 percent reported they were either "unsure" of or "not at all familiar" with the Payment Card Industry Data Security Standard.

On the other hand, the study found that 77 percent of larger Level 4 merchants, meaning those that employ 51 or more employees, confirmed they are "very" or "somewhat" familiar with the PCI DSS, with 79 percent considering data security a high priority and 82 percent considering PCI compliance mandatory. Awareness of PCI compliance is also high among ecommerce merchants at 64 percent.

The mistake most small business merchants tend to make is they believe that they have less to lose if something goes afoul. That is untrue, of course, as most small merchants lack other protections -- ranging from business incorporation to cyber- and breach-insurance -- to lessen the blow. Therefore, the damages from non-compliance can, and often does, completely wipe out smaller merchants.

"As there are substantial costs associated with PCI compliance, small businesses typically lack the initial controls for compliance, and therefore their environments are much riskier than large organizations," explains Shawn Gaspar, an accounting software consultant at Accellis Technology Group.

"Many small businesses will assume they are too small for PCI compliance to matter to them. They pose the most risk and need to understand they are typically the ones who come under fire the most," Gaspar says.

That's not to say, however, that larger businesses are not hit hard by the aftereffects of a breach, because they are. Non-compliance leads only to varying degrees of disaster, but all degrees amount to an actual disaster in the end.

PCI Compliance Checklist

"Most of these owners are not aware that there is help available, and it is often close by," says Doug Klotnia, Trustwave executive vice president. "Small business owners should reach out to the company that processes their credit card transactions, often called acquirers or ISOs, and ask them how they can get secure, and thereby, become compliant with industry standards. These partners often have access to tools they can recommend that can help small businesses achieve and manage ongoing PCI compliance."

Keep in mind that you can shop for tools outside of those recommended by your financial institution or processor. Sometimes their recommendations are solely directed to their business partners where there may be financial benefit to their promoting the product to you.

"Contrary to what most banks and merchant account providers say, you can choose any PCI scanning vendor that is approved by the PCI council," says Lexiconn's CTO Robert Mangiafico. "You do not have to use the one the bank recommends. You may have to submit additional paperwork, but it can be done."

So, look around and get a good idea of what is available, which providers are reliable, and which are the most cost effective for your circumstances.

Mangiafico provides the following checklist and tips to help ensure that you have at least the basic points in PCI compliance covered:

  • Find a Web host that understands PCI and can help your website achieve compliance. The scan results and requirements can be daunting, so having a partner that knows how the system works and what needs to be done to pass a PCI scan is a crucial step.
  • If at all possible, do NOT store credit card numbers locally in your office or on your network. Doing so will bring your entire office network (and all PCs attached to it) into the scope of compliance. This can be a nightmare to wade through.
  • Unless you really need the credit card numbers, use an ecommerce system that allows you to NOT store the credit cards after they are charged in real-time. This will relieve you from having to answer a very detailed questionnaire and removes most of the ways hackers obtain credit card data.
  • Most small merchants fall into the level 4 merchant status. This means an annual self-assessed questionnaire (SAQ), a quarterly PCI scan of any public network that handles credit cards (normally your website), and a way to prove validation to your merchant account provider.

    Where the Highest PCI Compliance Costs Hide

    Gasper says that in his experience with getting clients compliant, most of the high cost of compliance is incurred when clients require the following items:

    Data Encryption: typically any small business or institution storing cardholder data (sometimes referred to as Personally Identifiable Information) must have hard disc encryption on all their PCs and servers. This includes desktops, laptops, servers and backup tapes.

    The idea behind data encryption is that if a hard drive is maliciously stolen or obtained, the thief has no way to access the data without the encryption key. Encryption, while easy to implement, can add up in cost as it will become a per-user license for software encryption.

    There are other risks associated with hard drive encryption; it requires proper documentation of the processes and encryption keys to prevent instances of not being able to un-encrypt company data in the event that data recovery becomes necessary.

    Physical Access Security: There are many nuances with securing data within a building that can add up, such as physical barriers of entry to secured data, which are sometimes out of the control of many small businesses. In some instances security cameras and door alarms are required to be installed at the facility storing the cardholder information. These can be costly items that are usually not covered by the lessors of the building.

    Vulnerability Scans and Network Penetration Tests: The costs of these services can add up quickly. Many vulnerability scanning companies offer package deals based on the size of the environment and frequency of the scans; be sure to ask the vendor for these types of discounts. Typically businesses that store cardholder data post authorization, or if the processing systems have an Internet connection, quarterly scans will be required by an approved third-party vendor.

    In addition to the items listed above, Gasper says that small businesses will need to invest significant effort to document all the policies and procedures, and to test the controls over the procedures.

     "Typically, we see small businesses hiring an individual to act as the compliance manager to stay on top of the tests of controls and newly identified compliance requirements and then report to the partners of the firm," says Gasper. "The compliance managers will also be the individuals responsible for documenting and communicating all the policies and procedures to the employees of the firm as well."

    PCI compliance; credit card payments

    DIY Versus Outsourcing PCI Compliance Duties

    It's quite natural for small businesses to think that hiring a contractor to ensure compliance is the easiest way to get it all done correctly, but that may not be so. However, taking it on as a do-it-yourself-project has its hazards, too.

     "PCI-DSS for SMBs has interesting implications that much larger organizations don't necessarily face," says Phil Walston, vice president of engineering and product management (and resident PCI-DSS expert) at Layer 7 Technologies, a provider of security and governance products.

    "A lot of small businesses will reach out to contractors for a larger portion of their compliance exercise, as finding a contractor who understands their business needs from previous clients will ensure faster completion and cut down costs," Walston continues. "But contracting out too much, or going to the wrong people, could drive costs out of control or expose them to unnecessary risk. The recently documented issues at Subway are a good case in point."

    In all likelihood, the best solution will be a mixed approach. But however you choose to address it, PCI compliance will be a never-ending exercise.

    "Certification activities should be considered an ongoing effort,' says Rob Bertke, senior vice president for payment solutions product management at Sage North America, the makers of business management software including Peachtree Accounting.

    "Requirements will change, and merchants must plan on being agile in handling compliance," Bertke continued. "Standards evolve quickly. Merchants must be prepared to seek out new findings and adapt, as required, to stay on top of regulations and ahead of fraud."

    Pam Baker has written for numerous leading publications including, Institutional Investor magazine, CIO.com, NetworkWorld, ComputerWorld, IT World, Linux World, Internet News, E-Commerce Times, LinuxInsider, CIO Today Magazine, NPTech News (nonprofits), MedTech Journal, I Six Sigma magazine, Computer Sweden, the NY Times, and Knight-Ridder/McClatchy newspapers.

    Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!
    This article was originally published on Thursday Mar 15th 2012
    Mobile Site | Full Site