Mangiafico provides the following checklist and tips to help ensure that you have at least the basic points in PCI compliance covered:
- Find a Web host that understands PCI and can help your website achieve compliance. The scan results and requirements can be daunting, so having a partner that knows how the system works and what needs to be done to pass a PCI scan is a crucial step.
- If at all possible, do NOT store credit card numbers locally in your office or on your network. Doing so will bring your entire office network (and all PCs attached to it) into the scope of compliance. This can be a nightmare to wade through.
- Unless you really need the credit card numbers, use an ecommerce system that allows you to NOT store the credit cards after they are charged in real-time. This will relieve you from having to answer a very detailed questionnaire and removes most of the ways hackers obtain credit card data.
- Most small merchants fall into the level 4 merchant status. This means an annual self-assessed questionnaire (SAQ), a quarterly PCI scan of any public network that handles credit cards (normally your website), and a way to prove validation to your merchant account provider.
Where the Highest PCI Compliance Costs Hide
Gasper says that in his experience with getting clients compliant, most of the high cost of compliance is incurred when clients require the following items:
Data Encryption: typically any small business or institution storing cardholder data (sometimes referred to as Personally Identifiable Information) must have hard disc encryption on all their PCs and servers. This includes desktops, laptops, servers and backup tapes.
The idea behind data encryption is that if a hard drive is maliciously stolen or obtained, the thief has no way to access the data without the encryption key. Encryption, while easy to implement, can add up in cost as it will become a per-user license for software encryption.
There are other risks associated with hard drive encryption; it requires proper documentation of the processes and encryption keys to prevent instances of not being able to un-encrypt company data in the event that data recovery becomes necessary.
Physical Access Security: There are many nuances with securing data within a building that can add up, such as physical barriers of entry to secured data, which are sometimes out of the control of many small businesses. In some instances security cameras and door alarms are required to be installed at the facility storing the cardholder information. These can be costly items that are usually not covered by the lessors of the building.
Vulnerability Scans and Network Penetration Tests: The costs of these services can add up quickly. Many vulnerability scanning companies offer package deals based on the size of the environment and frequency of the scans; be sure to ask the vendor for these types of discounts. Typically businesses that store cardholder data post authorization, or if the processing systems have an Internet connection, quarterly scans will be required by an approved third-party vendor.
In addition to the items listed above, Gasper says that small businesses will need to invest significant effort to document all the policies and procedures, and to test the controls over the procedures.
"Typically, we see small businesses hiring an individual to act as the compliance manager to stay on top of the tests of controls and newly identified compliance requirements and then report to the partners of the firm," says Gasper. "The compliance managers will also be the individuals responsible for documenting and communicating all the policies and procedures to the employees of the firm as well."
DIY Versus Outsourcing PCI Compliance Duties
It's quite natural for small businesses to think that hiring a contractor to ensure compliance is the easiest way to get it all done correctly, but that may not be so. However, taking it on as a do-it-yourself-project has its hazards, too.
"PCI-DSS for SMBs has interesting implications that much larger organizations don't necessarily face," says Phil Walston, vice president of engineering and product management (and resident PCI-DSS expert) at Layer 7 Technologies, a provider of security and governance products.
"A lot of small businesses will reach out to contractors for a larger portion of their compliance exercise, as finding a contractor who understands their business needs from previous clients will ensure faster completion and cut down costs," Walston continues. "But contracting out too much, or going to the wrong people, could drive costs out of control or expose them to unnecessary risk. The recently documented issues at Subway are a good case in point."
In all likelihood, the best solution will be a mixed approach. But however you choose to address it, PCI compliance will be a never-ending exercise.
"Certification activities should be considered an ongoing effort,' says Rob Bertke, senior vice president for payment solutions product management at Sage North America, the makers of business management software including Peachtree Accounting.
"Requirements will change, and merchants must plan on being agile in handling compliance," Bertke continued. "Standards evolve quickly. Merchants must be prepared to seek out new findings and adapt, as required, to stay on top of regulations and ahead of fraud."
Pam Baker has written for numerous leading publications including, Institutional Investor magazine, CIO.com, NetworkWorld, ComputerWorld, IT World, Linux World, Internet News, E-Commerce Times, LinuxInsider, CIO Today Magazine, NPTech News (nonprofits), MedTech Journal, I Six Sigma magazine, Computer Sweden, the NY Times, and Knight-Ridder/McClatchy newspapers.
|Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!|