Eight tips for SMEs to improve PCI DSS compliance

j0405584The PCI DSS applies to ALL organisations (‘merchants’) that accept, transmit or store cardholder data, regardless of their size or number of transactions. If any customer ever pays a merchant direct using a credit or debit card, then the PCI DSS requirements apply.

SMEs often lack the resources and technical expertise to adequately protect themselves from payment card data breaches. Compliance with the PCI DSS can be a painful and often costly exercise, because organisations don’t fully understand the compliance requirements, or end up being overcharged by consultants that do not have their best interests in mind.

Here are a few tips to help you reduce the compliance burden.

  1. Don’t be lulled into a thinking the fines aren’t real

Small businesses can face hefty fines if they suffer a security breach and are found to be non-compliant with the PCI DSS. Fines for a small merchant are, on average, around £15,000, which excludes the costs of any forensic investigations and remediation activities that the SME will be liable to pay if found to be non-compliant.

Although £15,000 is nothing to be laughed at, the costs can be significantly higher, depending on the severity of the breach.

  1. Educate yourself and your staff about the PCI DSS

Having a better understanding of the PCI DSS will enable your company to make informed decisions about managing compliance – resulting in reduced costs, greater efficiencies and the empowerment of your staff. In this way, you can avoid being reliant on poor third-party advice.

IT Governance regularly runs its popular PCI DSS Foundation and PCI DSS Implementation courses in London to help businesses deal with the Standard’s compliance requirements.

  1. Compliance doesn’t mean you are protected

PCI DSS compliance is a continuous process, not a snapshot in time. Passing an assessment does not ensure you will remain compliant. Developing an understanding of the industry, the terminology used, the flow of payment card data on your systems and networks, and the processes required for compliance are all essential bits of knowledge that will enable you to manage a compliance programme effectively.

  1. You CAN get expert advice cost-effectively

Documentation toolkits and online consultancy can go a long way in helping you achieve your compliance goals without having to call in the ‘heavies’ for PCI DSS support.

Designed by a PCI Qualified Security Assessor, the PCI DSS Documentation Toolkit contains expert guidance and advice, and fully customisable documentation templates to support payment card-accepting organisations (‘merchants’) by ensuring that their documentation is compliant with PCI DSS.

Live Online Consultancy enables you to purchase consultancy support by the hour. You get access to consultancy in a format that works for you – by email, live chat, telephone and WebEx – and at a time that is convenient for you at only £150 per hour.

  1. PCI DSS certification doesn’t exist

It is important to be aware that your organisation can never be ‘PCI DSS certified’. Even though you may receive a report stating that you have been verified as being in compliance, there is no official PCI DSS certification process.

  1. Build internal awareness about payment card security

The PCI DSS states that organisations must implement a formal security awareness programme to make all employees aware of the importance of cardholder data security. A PCI DSS staff awareness courses offer the quickest, simplest and most economical way of teaching employees about compliance.

  1. Conduct regular testing

Regular testing of systems and maintaining firewalls are the two areas where most firms fell out of compliance, according to the 2015 Verizon PCI Compliance report. Many companies don’t really know what tests they need to undertake to achieve PCI DSS compliance. This simple graph sheds some light on what tests are required for each of the different compliance categories.

  1. Only qualified QSA can carry out audits

It is a myth that security advisors can do the same job as Qualified Security Assessors (QSAs). Only qualified PCI DSS QSAs are able to carry out an official PCI DSS audit. If your company is required to undergo an ROC audit, ensure you use only official QSAs.

IT Governance is an approved QSA provider and CREST-accredited penetration testing provider with extensive experience and a solid track record of undertaking PCI DSS compliance projects and delivering SAQ validation and support, in addition to ROC audits for organisations with complex compliance requirements.

If you would like in-depth advice, call our PCI DSS team today on +44 (0)845 070 1750 or email us to discuss your PCI DSS compliance requirements.

PCI-ComplianceB