By Cathy A. Garland
As a business owner, there are always competing efforts for your resource focus and dollars. It can be difficult to know what needs prioritization.
In 2010, the PCI Data Standards Council released the first draft of a document securing consumer information. They created a 36-month cycle during which time merchants accepting credit cards would have an opportunity to comply to the published security standards. The PCI Standards’ Council website is located at: https://www.pcisecuritystandards.org/index.php.
PCI stands for Payment Card Industry and is made up of credit card companies Master Card, Visa, Discover Financial Services, JCB International, and American Express. In 2010, the PCI Data Standards Council released the first draft of a document securing consumer information. The standard calls for eliminating or limiting the storage of payment card sensitive authentication information including the CVV – the three digit code on the back of the card.
The standards are based on security best practices that have been around for years with updates as technology has evolved. PCI Compliance requirements on the surface can be intimidating if you don’t have a large Tech Support team and a rather large bankroll. There are however ways to insure your environment is compliant without breaking the bank.
KEEP YOUR ENVIRONMENT SIMPLE – the simpler the environment, the easier the Compliance Standards are to meet.
- Purchase authorized PIN and Credit Card devices from your bank. Ensure they are PCI Compliant. This information is available at the PCI-DSS website, https://www.pcisecuritystandards.org/.
- Don’t store customer data in your environment. This doesn’t mean don’t have a marketing mailing list. This means don’t include any customer financial data.
- Use commercial products for your POS system that are certified PCI Compliant.
- Trust your employees, but verify. DO background checks to insure you’re not hiring an individual who shouldn’t be trusted with someone else’s personal information.
- Only allow access to customer data to those employees who have a definite business need.
- Purchase and maintain antivirus and malware software for all pc’s (and servers) in the environment.
- Use Windows Update and apply security fixes. Same for other operating systems. They too get hacked.
- Don’t browse social media sites on your work pc. (This may be considered overkill by some but if you flat don’t allow it in the first place, you don’t have to potentially worry about a Trojan getting through your virus protection).
- Use individual logons for all employees. This makes a trail to troubleshoot potential misuse much easier.
- Find vendors who will partner with you, regardless of your small size, to help you maintain your environment. Insure THEY are security minded and compliant.
- Write some basic policies and procedures and have employees sign-off that they have read them and understand them. (Core policies and procedures are available that you can fit to your environment).
- Turn on Windows Firewall.
- Purchase a warranty on your hardware. (This goes to recovering from a disaster and environment stability).
- Back up your data. You can purchase an external hard drive from many vendors for under $200 in a lot of cases. Windows has a built-in backup program. You don’t have to purchase additional software.
- Follow basic security rules published by vendors such as Microsoft. They have security baseline documentation that will guide you into creating a more secure environment.
- Fill out your self-attestation paperwork and provide it to your merchant bank.
None of these recommendations are expensive nor should they drive any Mom-and-Pop-sized shop out of business. Best of luck.