The Quick Guide to PCI DSS Compliance for Small Merchants (Level 4)
A large majority of companies in the U.S. are considered small and medium sized businesses (SMBs). Most SMBs don’t process any more than 20,000-1,000,000 (some much less) transactions per year, categorizing them as Level 4 merchants in the PCI world.
For those of you that have read my article on merchant risk levels, you’ll know that Level 4 is the lowest tier, thus requiring the least amount of work for compliance. It’s also the most vulnerable tier for hackers….go figure.
In this guide, I’m going to walk you through what you need to do to become compliant and the basics of small merchant PCI compliance. I tried to keep it as short as possible, but not sure if I succeeded. 🙂
For Retail (Card-Present) Merchants
Scan Your System
Most credit card processors require proof that you’ve scanned your system for security threats, otherwise they’ll charge you a monthly PCI non-compliance fee. So, make sure you comply with all the other steps below, then get scanned when you’re ready for it. I’ve partnered with Trust Guard, so I’m obviously going to recommend that you get your system scanned by them, but it’s your call. There are plenty of other companies out there that offer scanning services. From what I’ve seen, Trust Guard is pretty legit though.
Take the Self-Assessment Questionnaire (SAQ)
I touch on the SAQ in my other PCI article, but as a brief overview, the self-assessment questionnaire will give you a basic idea of what requirements you need to follow in order to become PCI compliant. The SAQ will probably reiterate everything that I’m telling you now, but that doesn’t mean that you can skip it. Much like the system scan, most processors require that you take the questionnaire, or else they’ll assess a non-compliance fee.
Now, follow these steps:
1. Use only PCI approved PIN transaction security devices (i.e. PIN pads).
By “device” I mean PIN pads and credit card terminals. Visit this link to see if your current device is compliant. If not, it’s time to upgrade.
2. Use only PCI validated POS (Point-of-Sale) & payment gateway software.
Visit this link to see if your current software is validated. If not, it’s definitely time to upgrade. Here’s a good place to find POS hardware/software, and all of my top rated credit card processors offer payment gateways that are PCI compliant.
3. Don’t store any sensitive cardholder data.
As a small business, it’s easy to forget about stuff like this. I remember writing down credit card info on a notepad for later reference, without realizing how big of a security risk that actually was. So, whether on paper or your hard drive, don’t store any cardholder data. If you’re worried that maybe your credit card terminal or PIN pad is storing card data, just keep in mind that newer equipment either doesn’t store the data, or encrypts it. So, if your equipment is PCI compliant, then you need not worry.
4. Use a firewall on your network and PCs.
This one’s pretty easy. Most operating systems come with some sort of security package which includes a firewall. Just make sure that you regularly check to see if it’s working, and you update it if necessary. If you don’t have a firewall, Norton is pretty good.
5. Make sure your wireless router is password-protected and uses encryption.
Another easy one. Your router’s instructions will walk you through the process of password protecting and encrypting the router.
6. Use strong passwords. Be sure to change default passwords,
This is a no-brainer. I use password generator in order to make me some quick and secure passwords. Never use the default password for any hardware or software.
7. Regularly check PIN entry devices and PCs to make sure no one has installed rogue software or “skimming” devices.
This is where the system network scan comes in handy. Your average joe doesn’t really know how to check for this kind of stuff, so by using a company like Trust Guard, you can just rely on their expertise.
8. Teach your employees about security and protecting cardholder data.
Don’t get lazy on this one. I have a few articles in my PCI Compliance category, so you can refer your employees to them. You also have plenty of resources at your fingertips so don’t forget to use your favorite search engine.
For eCommerce (Card-Not-Present) Merchants
Follow every step in the list above (expect for #1. You obviously won’t have a PIN pad or credit card terminal if you’re strictly eCommerce.), and the following:
Get an SSL Certificate
An SSL certificate ensures that any sensitive data transmitted through your website is encrypted so as to protect that data. An obvious place that you would use an SSL would be on a payment page during checkout. There are a ton of SSL vendors out there, but if you’re going to get your system scan at Trust Guard, then you might as well pick up your SSL with them as well. 😉
One thing that I’d like to point out is that a there are a few payment gateways out there that can alleviate your PCI requirements almost completely. The way it works is that they have a feature that allows you to conduct the entire transaction on the service providers own servers, not yours. That way, your own network isn’t even involved in the transaction, thus absolving you from the need to maintain a secure network. Take a look at the CDGcommerce instant PCI page to see what I mean. They do a better job of explaining it than me.
You can also visit the Small Merchants page on the PCI Security Standards Council website for more info on PCI compliance for small business.