Small and midsize business owners have very little time to educate themselves about information security and of the few that do, understanding the requirements of Payment Card Industry Data Security Standard (PCI DSS) can be daunting. Most just assume that since their business is small, industry rules like PCI DSS don’t apply.
But from the perspective of PCI, the size of your business is irrelevant. If your business accepts credit/debit cards for payment for goods or services, online or offline, the business will always have some PCI scope. The amount of scope may vary but the least amount of scope achievable is complying with the requirements listed in the Self-Assessment Questionnaire. Some technology vendors may advertise otherwise but there is no product or service that will entirely remove your business from PCI compliance scope.
However, there are many things business owners can do to limit the scope of PCI DSS on their business.
Do not store card holder data
There is no valid reason that any business — regardless of size — needs to keep card holder data (CHD). Even if your business does recurring transactions, many payment processors have solutions for that scenario and many other scenarios. Talk to your payment processor to find out what solutions they offer that reduce your businesses PCI scope. If your payment processor only offers solutions that stores card holder or sensitive authentication data, I recommend finding a new payment processor.
What should you look for in PCI DSS payment solutions?
You need to ask the right questions of your payment solution vendor. Does their solution support end-to-end encryption (E2EE) from the card terminal, also known as the point of interaction (POI), to the transaction processor to reduce the risk that credit card information is intercepted? Does their solution offer tokenization of card holder information to eliminate your need to store or transmit credit card information?
Whatever solution you choose, make sure that the solution encrypts the CHD/SAD immediately when it is read from the card and none of your business’s technology can decrypt the information and therefore read it before it gets to the payment processors systems.
If your organization does e-commerce, then you want to offload credit card transactions to a merchant that uses a PCI compliant vendor for processing payments. You want the payment to be produced and managed by a third-party, not your business. This will remove your e-commerce site from scope so you do not need external and internal vulnerability scans and penetration tests. However you still need to follow security best practices to ensure the security of your e-commerce servers.
PCI DSS compliance can be simple for small to medium business to achieve with a few steps.
- Do not store card holder data.
- Ask the right questions and work with your payment solution vendor