Small businesses regularly use a range of point-of-sale (POS) systems, yet not all understand the responsibilities associated with accepting credit card payments. Whenever there is a transaction, a customer’s information is captured, transmitted, and often stored by the merchant. Obviously, a business needs to maintain a tremendous amount of security throughout the entirety of the payment process. That’s where PCI – or Payment Card Industry – compliance comes in.
What is PCI compliance?
To ensure that a secure environment is maintained by all companies who accept credit card payments, American Express, Discover, JCB International, Mastercard, and Visa joined together to establish the Payment Card Industry Security Standards Council (PCI SSC) in 2006. The SSC is an independent body that was tasked with creating the Data Security Standard (DSS), a set of rules designed to protect the entire payment ecosystem.
PCI compliance applies to businesses of all sizes, from international corporations to small local stores. Though the Security Standards Council is behind the list of requirements that every business must follow, it is not there to enforce the rules. Instead it is the responsibility of every business owner to adhere to the requirements set out by the DSS as well as those from each of their merchant account providers, such as American Express or Visa. That said, there are consequences for non-compliance, ranging from facing fines to losing your merchant accounts entirely. In addition, you could make your business vulnerable to data breaches, endangering both your customers and your business.
What are the requirements of PCI compliance?
There are 12 requirements included in the Data Security Standard and they are broken into 6 different objectives:
Does the size of your business matter when becoming PCI compliant?
Yes. The requirements listed in the above chart are universal, but the actions you must take – including annual assessments and audits – vary depending on the size of your business. This ranges from smaller Level 4 merchants (less than 20,000 online card transactions per year) all the way up to Level 1 merchants (more than 6 million total transactions per year).
Why is PCI compliance important?
The reason PCI compliance is so necessary is that businesses of all sizes have become increasingly vulnerable in the digital age. Criminals take advantage of everything they can and try all kinds of malware and phishing in order to access the most sensitive information of your customers and business. According to the SSC, merchant vulnerabilities exist in the following areas:
- Point-of-sale (POS) devices
- Transmission of cardholder data to service providers
- Mobile devices, personal computers, and servers
- Wireless hotspots
- Remote access connections
- Web shopping apps
3 tips for for PCI compliance success
PCI compliance may sound serious and complex, but at its core it’s just a set of guidelines to keep you and your customers safe. There are a few areas that all experts say improve the security of your system and help you maintain PCI compliance.
- Update your system
This is probably the easiest thing you can do that has the biggest impact. First, make sure your operating system (OS) and POS software are current. And if you haven’t already done so, set your system to auto update. Updates should be done the moment there is a new version of the software, not as part of a quarterly or monthly manual update. This makes sure your system always downloads vital security patches as well. One of the many benefits of using Meraki Go for your business WiFi is that you receive automatic firmware and security updates for complete peace of mind.
Whereas software needs regular updates, businesses sometimes also need to update their hardware as well. Make sure you’re using the latest equipment for your POS system, including utilizing chip readers and near field communication (NFC) technology for contactless payments.
And easiest of all? Change the default passwords on your hardware. A lot of equipment comes with user names like “Admin” and passwords like “password,” and criminals are well aware of this. Create complex passwords that are phrases with a combination of letters, numbers, and symbols for optimal security. - Control data acquisition and access
It’s important that your business is only storing the data you need. And then, as the PCI DSS requirements say, access to customer credit card information should be on a “need to know” basis. As an owner, you have a responsibility to control who has access to the data and be able to track whenever that data is accessed. To assist with this, there should be a separate login for each employee who truly needs access. These unique logins also increase security against any outside threats. - Segment your network
Your WiFi should give you the ability to create different networks for each part of your business. Make sure your POS system is on a network of its own. Separate that network from your business’ other operations, such as email and non-payment related activities. Further, make sure your customers have their own network. Visit our blog on Guest WiFi to understand its value and importance. Of course Meraki Go’s router/firewall and access points – both indoor and outdoor – all empower you with the ability to create multiple networks in your business’ system.
Visit the Meraki Go site to learn more about our intuitive and innovative solutions that support small businesses.
SOURCES:
Nerd Wallet
PCIComplianceGuide.org
PCISecurityStandards.org
PCI Security Standards Council (2018 PCI DSS Reference Guide, their most recent)
University of Kentucky