The Payment Card Industry Data Security Standards (PCI DSS) is a compliance framework that requires any organization processing card transactions or accepting payments via POS (Point Of Sale) and non-POS channels to follow specific requirements to ensure data integrity of the cardholder data against hackers and data breaches.
The PCI DSS compliance process is both exhaustive and expensive. The compliance level goes up or down based on the annual volume of transactions an organization processes.
For instance, an enterprise-grade organization processes over 300,000 transactions per year, and its PCI DSS compliance process is bound to be exhaustive and expensive.
Startups and small businesses, on the other hand, process fewer transactions. Hence, a small business’ compliance process and readiness journey is significantly different than that of the enterprises.
This article on PCI compliance for small businesses aims to help you gain real insights. It charts the PCI DSS compliance journey for a small business, discusses the average cost of PCI compliance for small businesses, and helps you understand the steps involved in becoming PCI DSS compliant.
Who Needs To Be PCI Compliant?
If an organization processes even one electronic transaction annually, It is required to comply with the PCI DSS compliance guidelines.
Small businesses and early-stage startups, therefore, must become and remain PCI compliant to avoid PCI compliance fines for small businesses.
Small businesses often run with the mentality that since they are too small, they don’t need to be PCI compliant. Unfortunately, this could not be farther from the truth.
A study in 2019 conducted by Verizon found that over 43% of cyber attacks targeted small businesses, out of which only 14% were able to defend against the attacks successfully.
Now, more than ever, small businesses and startups should focus on PCI compliance requirements for small businesses and deploy the requirements and controls listed in the PCI framework.
What Are PCI requirements for small businesses?
To become PCI DSS compliant, every organization, even a small business, is required to implement the 12 PCI DSS requirements and map them against PCI’s six main goals to ensure data integrity.
Here’s a quick overview of the requirements and objectives of PCI DSS.
What Are The Four Compliance Levels?
Based on the volume of transactions organizations process annually, they are classified into levels. The four levels are:
Organizations that process under 20,000 VISA transactions and a maximum of one million annual transactions yearly are considered small businesses.
Mom and Pop stores, boutique design apparel firms and other businesses typically are Level 4 businesses. However, some small e-commerce-based businesses could be Level 3 businesses.
It’s important to know that regardless of which Level you are in, your organization automatically becomes a Level 1 business if your security network is breached.
For instance, when a Level 4 business is breached, it no longer holds a Level 4 status.
Like other Level 1 businesses, you will implement the same security controls, invest in tools, and perform audits to demonstrate compliance for your small business.
Did you know?
A Hiscox report shows that 34% of small businesses with less than 50 employees were attacked and breached in the first quarter of 2022. That means they saw an increase in the average cost of PCI compliance for their small business. The average cost of PCI compliance for the affected small businesses went over USD 300,000 annually. Unfortunately, most small businesses did not survive that impact.
Also read: Best PCI DSS compliance practices
How To Get PCI Compliance for Your Small Business
An overview of this slightly lengthy process would be:
- Fill out a Self Assessment Questionnaire (SAQ),
- Get an Attestation of Compliance (AoC)
- Submit these documents to the PCI council along with your AS
That’s it. You are PCI Level 4 compliant.
Now let’s break down these three simple steps and spread them across eight steps to get a clearer understanding of what is required for PCI compliance for small retail businesses.
Step 1: Determine Which PCI Compliance Level You Belong To
The Level is assigned based on the total annual VISA transactions or transactions processed by an organization.
Small businesses usually have under 20,000 VISA transactions annually.
Hence, here we are considering all small businesses as Level 4 for ease of understanding.
If you aren’t sure of the number of transactions you’ve processed, you can use your POS machine to get reports on total transactions in a period.
Step 2: Fill Out the PCI Compliance Self-assessment Questionnaire
Based on the nature of transactions, your small business processes and fills out relevant SAQs for every type of transaction that flows through your business.
- If you use a payment gateway like Razorpay, you are required to fill out SAQ-A
- If you run a Mom & Pop physical store that uses a POS system & terminal, then you y will be required to fill SAQ-C
- If you take orders on the phone and accept online invoices, then you are required to fill out SAQ-C-VT
By accessing the official PCI DSS website, one can download the SAQ and different forms applicable to your processing activities.
In the meantime, here’s a sneak peek at what the SAQ would look like.
The Self-assessment questionnaire can sometimes seem confusing with the vast multitude of Yes/No questions. Be confident in your testing procedures and fill out the form with zero uncertainty.
Another section towards the end of the SAQ talks about instances where your small business has failed to implement any one of the 12 PCI DSS requirements. This section allows you to put forth an action plan to implement the requirement, mention and explain the steps you would follow and give an estimated date to complete this task without any gaps.
If filling out the SAQ form feels like it’s something that you are not confident about, get some expert assistance on board to help with this. Contact a PCI QSA firm to help with the process.
Step 3: Investigate Your Payment Technology
The year 2021 saw an 88% increase in cyber attacks on cloud-based businesses. The threat of an imminent data security attack is real and nearby.
As small businesses processing online card transactions, you should ensure that you have a PCI-compliant payment gateway to transmit cardholder data securely.
Installing an SSL(Secure Sockets Layer )will not make your website breach-proof. Instead, use an encryption code that encrypts every communication between your website and web browser when sending or receiving a card-based payment.
Here are a few best practices small businesses can start implementing:
- Ensure access control is in place to secure your information systems. Only employees with a predetermined need to access customer data must be allowed access to critical information.
- Maintain a log of all the login instances in your business environment
- Install 2FA and Point-to-point Encryption (P2PE) to ensure that login credentials of cards are not stolen via the internet.
Step 4: Create & Document Security & Compliance Processes
A study by UpCityshowed that while over 80% of small businesses were aware of the risks and damage involved with a security incident to their business, more than half didn’t have a formal cybersecurity protection framework or controls to defend themselves from a cyber threat.
As a small business owner or team member, you might be heading the PCI compliance efforts yourself without the luxury of a compliance team.
Nonetheless, it would help if you documented all the security controls and policies you implement within your business environments.
The same implementations should also be encouraged to be implemented across your organization to help strengthen your overall security posture.
For example, you can conduct training sessions for your employees to educate them on the Dos and Don’ts when handling customer data.
- Hackers try to penetrate networks not just from software but also by tampering with hardware. Conduct periodic checks to ensure that your POS devices are not tampered with. Teach your team the tips to secure POS devices.
- Conduct periodic general awareness training and educate employees on the risks and financial liability your small business gets exposed to when information systems are handled inefficiently.
Step 5: Complete your AOC
To get the AoC, you’ll have to submit the SAQ to the PCI council for a formal review.
Before submitting your SAQ, ensure that no form section is left empty and you’ve signed in the required place(s). Once that’s done, submit the SAQ for review.
The QSA from the PCI council either reviews your SAQ in person or virtually. If your SAQ convinces the QSA that your business is PCI compliant, they send the AoC.
As a PCI Level 4 organization, your AOC will be straightforward. You can fill out the AOC yourself.
Step 6: Prove compliance with vulnerability scanning
An ASV (Approved Scanning Vendor) is an independent third-party organization that conducts vulnerability scans every three months. The ASV either marks your business environment safe for critical customer data (card data, PII) or marks it unsafe (we don’t want that).
An ASV scans your firewalls and networks to ensure they are safe and do not put customer card data at risk. While ASVs also provide vulnerability scans for internal systems, most businesses prefer doing it themselves.
The approved vendor either fails you or passes you every quarter. You are then required to submit the scan result to the PCI council.
Step 7: Submitting the PCI Documentation
Gather all your documents, consolidate them, and send them as a compliance report to the PCI council. You can use e-mail or a physical mailing system for this.
The report should contain these documents:
- Summary of Findings
- Audit Details
- Business Information
- Card Payment Infrastructure
- External relationships
Step 8: Track & Test Your Systems
PCI DSS compliance is dynamic like any other cybersecurity framework or ISMS. It requires businesses to run scans of their business systems continuously, document the results, compare results to detect patterns, and constantly present a strong compliance posture.
However, this is easier said than done. After the compliance attestation process, most businesses focus on their revenue and scaling efforts.
Here’s a cheat sheet you can use to ensure that all the assets in your business environments are regularly tested without spending too much time on this.
Download our curated quick and dirty guide to make your small business PCI DSS compliant.
Download your PCI DSS Guide For SMBs
The Importance of PCI Compliance to Small Business
Small businesses constantly strive to gain the trust and confidence of their end users, partners, and vendors. With PCI DSS compliance, they add one more feather to their cap by showing the world that they are serious about information security.
With frequent security incidents globally, customers are now cautious about who they share their card data with.
Demonstrating your approach towards a strong and secure infosec posture brings back the trust of small businesses.
Protects against security incidents
Capital One and Microsoft, in their studies in 2019 and 2021, respectively, observed that cardholders are now weary of processing card-based transactions with small businesses.
Many small businesses and SMBs aren’t aware of their true compliance posture. Most organizations revisit the compliance activity at the end of the year when renewal time approaches.
This opens avenues for bad actors and hackers to locate a vulnerability and gain access to critical business systems of the organization through websites, mobile apps, firewalls, and remote-access vulnerabilities.
By regularly following the best practices of PCI DSS compliance, organizations can actively work towards updating their hardware and software to its latest versions, checking the performance of defence and offence software, checking physical sources of vulnerabilities, running periodic scans and more.
All of these collectively and individually contribute to your goal of becoming PCI DSS compliant while protecting your information assets.
The Sprinto way
PCI DSS is exhaustive, strenuous, and demands a lot of time and resources from organisations, especially when done the DIY way. Small businesses often find it challenging to navigate the PCI DSS compliance journey, and often allocating time and resources towards PCI compliance over primary business activities is not an easy decision.
We know this how? We were once in your shoes!
Sprinto has laid out a curated PCI DSS compliance process for small and medium-sized businesses. In this, we do the heavy lifting of your compliance journey. While, you focus on your business development at a fraction of the cost.
Talk to our experts today to make your PCI DSS journey a breeze!