Small Business PCI Compliance [Self-Assessment Questionnaire & Checklist]


  • PCI & Grim Hacking Stats
  • Why Secure Your Data with PCI DSS?
  • What Systems Need to Be Secured?
  • Self-Assessment Questionnaire – How You Take Card Data
  • Checklist – Best Practices for Security
  • PCI Compliant-Ready Infrastructure

PCI & Grim Hacking Stats

If you are a small merchant that accepts payments online, you are probably familiar with the PCI Security Standards Council. PCI stands for Payment Card Industry, and the compliance body is well-known for creating the PCI Data Security Standard through its five founding members – MasterCard, Visa, Discover, American Express, and JCB.

No one is ever pleased to hear about a bunch of rules they have to follow. However, PCI compliance does have the benefit of forcing you to prioritize security if you want to take credit cards. Accepting payments online has of course become incredibly common, but it also exposes you to a huge amount of liability: just look at 2013 stats from the National Cyber Security Alliance, integrated with the number of total businesses from the US Small Business Administration (27.9 million in 2010):

  • One out of every five small businesses get hacked each year – that’s about 5.6 million organizations!
  • Three out of five businesses that get hacked go bankrupt within six months – that’s about 3.3 million small businesses!
  • That means that 12% of small businesses will flop due to a data breach each year in the United States!

“Most small business owners still don’t get security, don’t think it’s an issue, and are pretty defenseless,” said Neal O’Farrell, executive director of the San Francisco-based nonprofit Identity Theft Council. “They assume hackers would need to pick their business out of 27 million others, not realizing that the attacks are automated.”

Why Secure Your Data with PCI DSS?

According to the Security Standards Council (SSC), 80% of attacks use small businesses as the target because it’s easier to find holes in their security infrastructure. If you experience a compromise, the consequences are far-reaching:

  • Fines
  • Discontinuation of your agreements with credit card companies
  • Customers turning to your competition
  • Downturn in sales
  • The expense of civil litigation
  • Any amount stolen directly through fraud
  • Additional expenses to get back into compliance

“The object of desire is cardholder data,” explained the council. “By obtaining the Primary Account Number (PAN) and sensitive authentication data, a thief can impersonate the cardholder, use the card, and steal the cardholder’s identity.”

Information can be taken by thieves directly through credit card machines, from hard copies stored on site, from a database containing transaction information, via cameras watching the input of login details and process (as occurred most grandiosely in a $1 billion multinational bank heist), or  through your data networks.

What Systems Need to Be Secured?

In order for your small business to be PCI-compliant, you must safeguard all data during the transaction and as it is sent for processing. By far the easiest way to handle the SSC’s parameters and to reduce your liability is to resolve not to store anything. PCI compliance applies to:

  • Devices that read card details
  • POS systems
  • Your business’s networks and routers
  • Any instances in which data is stored or sent
  • Non-digital transaction records

Self-Assessment Questionnaire – How You Take Card Data

Here are the various categories of card acceptance:

  1. Card-not-present – Internet sales or mail-order services, with cardholder services performed by a third party.
  2. Imprint-only or dial-out – Any businesses that only retain hard copy records of credit card transactions, with no digital storage.
  3. C-VT. Virtual terminals – Entities that perform all transactions through virtual machines, with no digital storage.
  4. Standard application terminals – Companies that use web-connected apps, with no data storage.
  5. Everyone else – All businesses not defined above.

For all e-commerce situations, “check the security of your card payment applications and systems to protect cardholder data,” the council advises. “If operation of your e-commerce shopping cart is outsourced to a service provider, ask it to give you annual evidence of the service’s compliance.”

Checklist – Best Practices for Ssecurity

Here are the basic steps to making sure that your system is compliant and secure:

  1. Make sure that all of your POS systems through which you take cards are approved by the SSC, as indicated here.
  2. Make sure that the payment or shopping cart software is a PCI Validated Payment Application (VPA), as indicated here.
  3. Store nothing related to cards, whether digitally or physically.
  4. Implement firewalls both for your network and for your devices.
  5. Safeguard your Wi-Fi router with a password and standardized encryption.
  6. Make sure that every one of your passwords is unique and complex.
  7. Regularly check all POS hardware and computers for spyware.
  8. Train all personnel on acceptable security policies and procedures.
  9. Follow the ongoing three-step PCI process: Assess your credit card processes for any risk. Remediate by resolving any risks and not keeping any data on file. Report to your financial institution and credit card companies per the DSS.

PCI Compliant-Ready Infrastructure

Typically tech partners will secure all or part of your payment systems. At Superb Internet, 100% of our facilities, services and processes are PCI-DSS compliant, developed specifically not just to keep your customers’ payment card data, but the entire hosting environment, facilities and network, secure.

Plus, we won’t just help you with compliance but will also improve the performance of your systems: our cloud servers, rated through the only objective comparison of different CPU performance (Passmark), achieve speed that is usually 300% better than AWS and SoftLayer for machines with similar specs.

By Kent Roberts

Loading Facebook Comments ...
Loading Disqus Comments ...

Leave a Reply