7 PCI Compliance Tips for Small Businesses
Learn some easy solutions to your security problems.
|By: Zach Walker|
Director of Technical Support
When it comes to PCI compliance, small businesses have their own unique struggles with securing their data. While smaller businesses have less card data to process and store than large businesses, they have fewer resources and smaller budgets for security.
SEE ALSO: The Importance of the PCI DSS: Why You Should Get Compliant
A lot of businesses also have difficulty implementing PCI requirements in a way that actually protects their data. Instead, many small businesses will treat PCI as a checklist and do the minimum, without thinking of applying it to data security.
These businesses also don’t fully leverage standards and practices by the PCI DSS to improve and secure their environment. They’re more concerned with becoming PCI compliant than secure.
Here are 7 tips for small businesses to get PCI compliant and properly secure their data.
1. Create policies and proceduresSmaller businesses are often less likely to consistently follow established policies and procedures. Since they only have a handful of systems and few personnel with administrative access, they see following set policies as a waste of time.
However, setting up policies and procedures helps ensure that these security procedures are actually being followed.
- Document all your policies and have them accessible to your employees
- Scope out your environment and document what part of your environment needs to be secure
- Make sure your employees are all trained on these policies
2. Update documentationMany small businesses often view change control and documented hardening standards as busywork. As a result, many small businesses rarely document their security controls, if they’re following them at all.
One way to simplify documentation for compliance is to set up a PCI email user or active directory account for PCI and add reminders in the calendar to make sure required security processes aren’t forgotten. Evidence collected from completing PCI compliance tasks can then be stored in this account.
This is a low/no-cost solution to help your employees keep PCI compliance on their minds throughout the year and provide you with all the evidence you need for assessments.
- Document all changes to your security environment
- Set up up a regular schedule for documentation purposes
3. Train yourself and your employeesA big problem many small businesses have with PCI compliance is they don’t know all that much about security. Many business owners think they don’t need to worry about security, but it is something they should be worried about.
You’ll need to train yourself and your employees on your policies and make sure they understand PCI compliance as well as they should.
Employees need to be aware of their surroundings: a lot of things happen because they’re not paying attention. 77% of employees leave their computers unattended. Locking your screen when you step away immediately increases security.
- Set up quarterly, if not monthly training meetings for employees
- Train employees to be aware of their surroundings and to follow procedures
- Test your employees by hiring an ethical social engineer
4. Keep your systems up to dateThere’s a reason vendors release new updates and patches for security vulnerabilities. This is critical for not just your computer, but the applications on the computer, any network hardware/firewalls, and any mobile devices you use. All systems and devices that are on your network need to be updated.
SEE ALSO: PCI Requirement 6: Updating Your Systems
- Subscribe to vendors’s patch/upgrade list to stay current on the latest security patches
- Establish a schedule to do security patching on a regular basis
- Do vulnerability scanning to find security holes
5. Change passwords regularlyThis is a very simple change that offers no cost, and yet is very helpful in keeping your data secure. Many hackers choose the easiest path to find card data. If your network or systems have easy-to-guess or default passwords, you’re practically opening up your business doors to hackers.
Set up policies for your employees and enforce rules to have passwords changed regularly. It’s recommended to change your password at least every 90 days, and to create new passwords that are at least seven characters in length and contain both alphabetic and numerical characters.
- Make sure employees have unique passwords and usernames
- Implement a policy where employees change their passwords regularly
- Change all default passwords and usernames on your network and systems
6. Only store card data that’s necessaryDid you know that 61% of users have unencrypted card data on their systems? You should never store unencrypted credit card data on your environment.
A good way to simplify your PCI compliance is limiting how much card data you store. The less data you store, the less time and resources you have to devote to securing that data.
SEE ALSO: PCI DSS Requirement 3: What You Need to be Compliant
- Scope out your environment to find any unencrypted card data
- Implement P2PE encryption on your card data
- Consider using tokenization to eliminate the need to handle card data
7. Get help from an expert!If you have a PCI program with a provider, like SecurityMetrics, use their support!! Talk to somebody about compliance and get help where you’re struggling. In most cases, that’s a free call. Take advantage of your provider’s support team since they can help you with any questions you have about PCI.
If you don’t have a PCI program, there are a number of resources from the PCI Council, and other experts that can help you figure out what your business needs to do to become PCI compliant.
- If you have a QSA, get help from them year-around
- Look up security blogs and articles for tips on best security practices
Remember, getting PCI compliant and securing your data is worth the trouble, and it can save your business in the long run.
Zach Walker is the Director of Technical Support at SecurityMetrics and has been with the company for over 6 years. He has worked in the IT/security field for over 10 years, and has A+, Network+, Security+, CISSP, and ASV certifications. He is currently pursuing a bachelor’s degree in IT Security.