For small businesses, Payment Card Industry Data Security Standard (more commonly referred to as PCI DSS) can seem confusing. But with the right information, that doesn’t have to be the case.
What does PCI DSS mean for small businesses?
PCI DSS is the international security standard introduced by the payment card industry. The biggest brands in this sector set the standard to assist businesses in avoiding credit card fraud while processing card payments from customers.
The standard applies for lots of credit card names, including Visa, Discover, MasterCard, JCB and American Express. The standard consists of a range of stringent guidelines covering the storage, processing and transmission of private data from cardholders.
Which businesses must be compliant with PCI DSS?
The standard affects all businesses that use credit card payments. If your small business ever uses, accepts, stores, processes or transmits credit cardholder data, then you must be compliant with this standard.
In order to do so, you must comply with specific requirements, including the following:
Build a secure network and maintain it
To do this, there should be a firewall configuration installed and maintained that protects cardholder data. Never use defaults for system passwords, instead set up distinct and strong passwords for everything. Ensure they are changed regularly.
Always protect data from cardholders
This is essential, and transmission of data across open networks should always be encrypted.
Set up and maintain a vulnerability management system
This includes anti-virus software, and regularly updating said software. You should also develop and maintain secure applications and overall system.
Utilise strong access control measures
Access to any cardholder data should be restricted internally. It should be on a business ‘need-to-know basis only. Every employee with access to the computer network should have a unique sign-in ID. All physical access to cardholder data should be suitably restricted.
Test and monitor computer networks on a regular basis
This involves monitoring all access to cardholder information and network resources. Security systems and all security processes should be tested regularly.
Create and maintain a policy covering information security
The policy should include information security for all employees.
These requirements are applicable to every merchant or business, whether large multinationals or small businesses. The volume of transactions handled is immaterial, which means the regulations apply even if you process very few credit card transactions. However, businesses that process higher numbers of transactions do face more stringent scrutiny in order to remain compliant.
What happens if your business doesn’t comply with PCI DSS?
For businesses that do not comply, possible consequences include a fine from your bank. Ultimately, they can completely prohibit your business from taking credit card payments if they deem you non-compliant.
If there is a data breach, your business will be subject to investigation. This will determine your level of compliance. When this has been decided, penalties may be imposed on your business by credit card companies.
Non-compliance penalties vary. You could be hit with a fine ranging from £3,000 to £60,000. You may face litigation, loss of company reputation, loss of business, and you may have your ability to take credit card payments revoked.
How is compliance validated?
There are different levels of compliance for different levels of transactions. You can get validated by inviting a Qualified Security Assessor (QSA) to conduct an audit. Or, you can complete a self-assessment form online.
The levels are as follows:
- Level 1: more than six million card transactions are processed per year.
- Level 2: between one and six million card transactions per year.
- Level 3: Between 20,000 to one million transactions per year.
- Level 4: Fewer than 20,000 transactions per year.
The standard is maintained by the PCI Security Standards Council, which is backed by the five major credit card companies.
James Turner, Managing Director of Turner Little Limited says: “As you can see, there are many reasons why non-compliance with PCI DSS is not worth the risk. There are many benefits to complying with the standard too, including the protection not only of your business, but also your customers.
“By maintaining procedures to ensure compliance, your business will continue to run securely. You will also be better placed to withstand any data breaches or cyber-attacks on the data your business holds. Being linked with highly valued and trusted names, such as MasterCard and Visa, will boost your credibility with customers too.
“Data breaches can cost businesses dearly, and small businesses are more at risk. As their resources and cashflow are limited, a significant data breach could mean the businesses is forced to fold. PCI DSS is also part of General Data Protection Legislation (GDPR). You can read about this in our blog.”
About Turner Little
Founded in 1998 in Yorkshire, UK, Turner Little is a specialist UK and offshore company formation, banking and corporate services provider. Our services include company formation, UK and offshore banking, asset protection, credit correction, trademarking and trusts. Other services include Internet services, mail forwarding, wills and probate. Turner Little’s vision is to offer the best possible service, together with market leading products.