8 Steps to Get PCI Compliance for Small Business
Vimal Mohan
Oct 09, 2024The Payment Card Industry Data Security Standards (PCI DSS) is a compliance framework that sets guidelines for any organization processing card transactions to ensure the protection of sensitive cardholder information.
However, with four distinct levels of PCI DSS and the need to interpret and map requirements to specific controls, achieving compliance can be an intensive and complex task.
This article on PCI compliance for small businesses explains the action plan and requirements for small businesses to get PCI-DSS compliant.
It deciphers the PCI-DSS compliance journey for a small business, discusses the average cost of PCI compliance for small businesses, and helps you chalk out your path to being PCI DSS compliant.
Introduction to PCI compliance for small businesses
PCI-DSS (Payment Card Industry Data Security Standards) applies to any business that collects or processes card transactions—these organizations need to implement directives and controls suggested by the PCI-DSS framework to safeguard the cardholder’s data, even if a business processes only one card transaction a year.
However, there are different levels of PCI-DSS compliance depending on the volume of card transactions.
Typically, small businesses process either less than 20,000 transactions a year, or 20,000 to 1 million transactions annually.
Thus, a small business would need to be compliant only with level 4 or 3 of PCI-DSS. Non-compliance can result in substantial financial penalties, ranging from $5,000 to $100,000.
PCI compliance for small businesses
If an organization processes even one electronic transaction annually, It is required to comply with the PCI DSS compliance guidelines.
Small businesses and early-stage startups, therefore, must become and remain PCI compliant to avoid PCI compliance fines for small businesses.
Small businesses often run with the mentality that since they are too small, they don’t need to be PCI compliant. Unfortunately, this could not be farther from the truth.
A study in 2019 conducted by Verizon found that over 43% of cyber attacks targeted small businesses, out of which only 14% were able to defend against the attacks successfully.
Now, more than ever, small businesses and startups should focus on PCI compliance requirements for small businesses and deploy the requirements and controls listed in the PCI framework.
What are PCI requirements for small businesses?
To become PCI DSS compliant, every organization, even a small business, is required to implement the 12 PCI DSS requirements and map them against PCI’s six main goals to ensure data integrity.
Here’s a quick overview of the requirements and objectives of PCI DSS.
What are the four compliance levels?
Based on the volume of transactions organizations process annually, they are classified into levels. The four levels are:
Organizations that process under 20,000 VISA transactions and a maximum of one million annual transactions yearly are considered small businesses.
Mom and Pop stores, boutique design apparel firms and other businesses typically are Level 4 businesses. However, some small e-commerce-based businesses could be Level 3 businesses.
It’s important to know that regardless of which Level you are in, your organization automatically becomes a Level 1 business if your security network is breached.
For instance, when a Level 4 business is breached, it no longer holds a Level 4 status.
Like other Level 1 businesses, you will implement the same security controls, invest in tools, and perform audits to demonstrate compliance for your small business.
Did you know?
A Hiscox report shows that 34% of small businesses with less than 50 employees were attacked and breached in the first quarter of 2022. That means they saw an increase in the average cost of PCI compliance for their small business. The average cost of PCI compliance for the affected small businesses went over USD 300,000 annually. Unfortunately, most small businesses did not survive that impact.
Also read: Best PCI DSS compliance practices
How to get your small business PCI compliant in 8 steps
From a top view, getting compliant with PCI-DSS 4, the framework for small businesses, is simple. You mostly just need to:
- Fill out a Self Assessment Questionnaire (SAQ),
- Get an Attestation of Compliance (AoC)
- Submit these documents to the PCI council along with your AS
However, there are nuances. So let’s dive deep into these nuances and explore the eight steps to getting PCI-DSS compliant:
Step 1: Determine which PCI compliance level you belong to
The Level is assigned based on the total annual VISA transactions or transactions processed by an organization.
Small businesses usually have under 20,000 VISA transactions annually.
Hence, here we are considering all small businesses as Level 4 for ease of understanding.
If you aren’t sure of the number of transactions you’ve processed, you can use your POS machine to get reports on total transactions in a period.
Step 2: Fill out the PCI compliance self-assessment questionnaire
Based on the nature of transactions, your small business processes and fills out relevant SAQs for every type of transaction that flows through your business.
- If you use a payment gateway like Razorpay, you are required to fill out SAQ-A
- If you run a Mom & Pop physical store that uses a POS system & terminal, then you y will be required to fill SAQ-C
- If you take orders on the phone and accept online invoices, then you are required to fill out SAQ-C-VT
By accessing the official PCI DSS website, one can download the SAQ and different forms applicable to your processing activities.
In the meantime, here’s a sneak peek at what the SAQ would look like.
The Self-assessment questionnaire can sometimes seem confusing with the vast multitude of Yes/No questions. Be confident in your testing procedures and fill out the form with zero uncertainty.
Another section towards the end of the SAQ talks about instances where your small business has failed to implement any one of the 12 PCI DSS requirements. This section allows you to put forth an action plan to implement the requirement, mention and explain the steps you would follow and give an estimated date to complete this task without any gaps.
If filling out the SAQ form feels like it’s something that you are not confident about, get some expert assistance on board to help with this. Contact a PCI QSA firm to help with the process.
Step 3: Investigate your payment technology
The year 2021 saw an 88% increase in cyber attacks on cloud-based businesses. The threat of an imminent data security attack is real and nearby.
As small businesses processing online card transactions, you should ensure that you have a PCI-compliant payment gateway to transmit cardholder data securely.
Installing an SSL(Secure Sockets Layer )will not make your website breach-proof. Instead, use an encryption code that encrypts every communication between your website and web browser when sending or receiving a card-based payment.
Here are a few best practices small businesses can start implementing:
- Ensure access control is in place to secure your information systems. Only employees with a predetermined need to access customer data must be allowed access to critical information.
- Maintain a log of all the login instances in your business environment
- Install 2FA and Point-to-point Encryption (P2PE) to ensure that login credentials of cards are not stolen via the internet.
Step 4: Create and document security and compliance process
A study by UpCityshowed that while over 80% of small businesses were aware of the risks and damage involved with a security incident to their business, more than half didn’t have a formal cybersecurity protection framework or controls to defend themselves from a cyber threat.
As a small business owner or team member, you might be heading the PCI compliance efforts yourself without the luxury of a compliance team.
Nonetheless, it would help if you documented all the security controls and policies you implement within your business environments.
The same implementations should also be encouraged to be implemented across your organization to help strengthen your overall security posture.
For example, you can conduct training sessions for your employees to educate them on the Dos and Don’ts when handling customer data.
- Hackers try to penetrate networks not just from software but also by tampering with hardware. Conduct periodic checks to ensure that your POS devices are not tampered with. Teach your team the tips to secure POS devices.
- Conduct periodic general awareness training and educate employees on the risks and financial liability your small business gets exposed to when information systems are handled inefficiently.
Also read: PCI network segmentation
Step 5: Complete your AOC
To get the AoC, you’ll have to submit the SAQ to the PCI council for a formal review.
Before submitting your SAQ, ensure that no form section is left empty and you’ve signed in the required place(s). Once that’s done, submit the SAQ for review.
The QSA from the PCI council either reviews your SAQ in person or virtually. If your SAQ convinces the QSA that your business is PCI compliant, they send the AoC.
As a PCI Level 4 organization, your AOC will be straightforward. You can fill out the AOC yourself.
Step 6: Prove compliance with vulnerability scanning
An ASV (Approved Scanning Vendor) is an independent third-party organization that conducts vulnerability scans every three months. The ASV either marks your business environment safe for critical customer data (card data, PII) or marks it unsafe (we don’t want that).
An ASV scans your firewalls and networks to ensure they are safe and do not put customer card data at risk. While ASVs also provide vulnerability scans for internal systems, most businesses prefer doing it themselves.
The approved vendor either fails you or passes you every quarter. You are then required to submit the scan result to the PCI council.
Step 7: Submitting PCI documentation
Gather all your documents, consolidate them, and send them as a compliance report to the PCI council. You can use e-mail or a physical mailing system for this.
The report should contain these documents:
- Summary of Findings
- Audit Details
- Business Information
- Card Payment Infrastructure
- External relationships
Step 8: Track and test your systems
PCI DSS compliance is dynamic like any other cybersecurity framework or ISMS. It requires businesses to continuously monitor business systems and controls, document the results, analyze results to detect anomalies and remediate, and constantly demonstrate a strong compliance posture.
However, this is easier said than done. After the compliance attestation process, most businesses focus on their revenue and scaling efforts.
Here’s a cheat sheet you can use to ensure that all the assets in your business environments are regularly tested without spending too much time on this.
Download our curated quick and dirty guide to make your small business PCI DSS compliant.
Download Your PCI DSS Guide For SMBs
How much does it cost to implement PCI DSS for small businesses?
Typical the cost of getting PCI-DSS compliant ranges between 1000 USD to 10,000 USD, depending on the level of PCI-DSS compliance. Costs vary from case to case and business to business based on several factors, like business size, existing security measures, and the complexity of payment processing operations.
Usually, small businesses achieve PCI-DSS compliance at lower costs than others due to simplicity of implementing basic security controls, and filling out the self-assessment questionnaire.
The benefits for PCI compliance to small business
Boosts confidence
Small businesses constantly strive to gain the trust and confidence of their end users, partners, and vendors. With PCI DSS compliance, they add one more feather to their cap by showing the world that they are serious about information security.
With frequent security incidents globally, customers are now cautious about who they share their card data with.
Demonstrating your approach towards a strong and secure infosec posture brings back the trust of small businesses.
Protects against security incidents
Capital One and Microsoft, in their studies in 2019 and 2021, respectively, observed that cardholders are now weary of processing card-based transactions with small businesses.
Many small businesses and SMBs aren’t aware of their true compliance posture. Most organizations revisit the compliance activity at the end of the year when renewal time approaches.
This opens avenues for bad actors and hackers to locate a vulnerability and gain access to critical business systems of the organization through websites, mobile apps, firewalls, and remote-access vulnerabilities.
By regularly following the best practices of PCI DSS compliance, organizations can actively work towards updating their hardware and software to its latest versions, checking the performance of defence and offence software, checking physical sources of vulnerabilities, running periodic scans and more.
All of these collectively and individually contribute to your goal of becoming PCI DSS compliant while protecting your information assets.
Earns customer trust
Customers hesitate to use their cards on websites and stores they don’t trust. Card scams are on the rise, and customers tend to only buy and repeat-purchase from places they trust with their money.
Having a PCI-DSS compliance certification is a great way to demonstrate your security posture and win the trust of the customers. This is more prevalent when you, as a small business, sell to larger businesses.
Complying with other standards
Getting PCI-DSS compliant will also set you on the path to complying with other standards. This is because PCI-DSS requires penetration testing and vulnerability assessments, which are standard procedures for some compliance frameworks like SOC 2 and ISO 27001.
Thus, getting PCI-DSS compliant reduced the additional lift required to comply to ISO 27001 or SOC 2.
The Sprinto way
PCI DSS is exhaustive, strenuous, and demands a lot of time and resources from organizations, especially when done the DIY way. Small businesses often find it challenging to navigate the PCI DSS compliance journey, and often allocating time and resources toward PCI compliance over primary business activities is not an easy decision.
Sprinto has laid out a curated PCI DSS compliance process for small and medium-sized businesses. It’s a GRC automation tool that comes with pre-built policy templates, controls mapped to frameworks like PCI-DSS, continuous control monitoring and automated evidence collection.
So you can skip doing the heavy lifting, and let the software take care of your PCI-DSS compliance while you focus on tasks that matter.
Make your PCI DSS journey a breeze! Speak to our experts.
FAQ
How much time does it take to get PCI-DSS compliant as a small business?
Usually, small businesses go for level PCI-DSS compliance which does not take more than 3 weeks. However, in some cases Level-3 and Level 2 PCI-DSS might take longer because of the added steps and security measures.
What are the top 3 challenges of PCI-DSS compliance for small businesses?
Small businesses are usually unaware of their security posture and gap they need to bridge to get compliant. Thus, self-assessments, penetration testing, and deciding which level of PCI-DSS certification they need to go to can be a bit tricky.
How can small businesses streamline PCI-DSS?
Small businesses can put PCI-DSS compliance on autopilot with Sprinto. It’s a GRC automation tool that comes with pre-built policy templates, pre-mapped controls, continuous control monitoring and automatic evidence collection. Thus automating your compliance maintenance and helping you breeze past audits.
Is it mandatory to comply with PCI-DSS?
Yes, as per regulations, complying to PCI-DSS standards of security is not just essential but mandatory for businesses that process, store, or transmit car information. For example, businesses like e-commerce stores, B2B software, and service providers would need to comply with PCI-DSS standards.