Compliance with the Payment Card Industry data security standards applies to every merchant, no matter how small, who accepts credit cards or debit cards branded by Visa, MasterCard, Discover, American Express, or any of the other major card brands. It is important that small businesses take PCI compliance seriously and follow the guidelines that have been mandated by the major credit-card brands. Small businesses should consider the following tips:
1. Don’t ignore it, even if you think you’re too small to be affected. Smaller merchants have a lighter paperwork burden than large organizations, but failure to comply can, and does, lead to legal and financial risk, up to and including the risk of having your card-processing privileges revoked, leaving your company unable to accept customer payment cards.
2. Know your obligations. PCI is a highly technical and broad-ranging set of security requirements, covering everything from how you configure and manage your computers to how you train and manage your staff. The best place for smaller merchants to start is to look at the official self-assessment questionnaires created by the PCI council. These don’t cover everything you need to know, but they do give you a quick sense of what you need to do and what to worry about most.
3. Know your real goal (security, not compliance). At the end of the day, PCI is all about helping merchants protect their customers, so you shouldn’t be looking to do the bare minimum. Merchants who concentrate on their customers’ safety will have a better business and less risk, and they will find that PCI success comes almost as a painless symptom of doing the right thing.
Dr. Tim Cranny
Salt Lake City