How SMEs can comply with the PCI DSS

Organisations that accept card payments are responsible for the security of customers’ payment information and must comply with the Payment Card Industry Data Security Standard (PCI DSS).

The PCI DSS is a set of tools and measures to help you protect payment card data. It applies to all organisations that transmit, process or store such information, but small and medium-sized enterprises (SMEs) should be extra vigilant. They are the most likely to be targeted by cyber criminals and the repercussions of a data breach could threaten their ability to stay in business.

Challenges for small merchants

The PCI DSS is technically complex to implement and lists 12 requirements based on common information security practices that are needed to achieve compliance.

Key to PCI DSS compliance is identifying and securing the points where cardholder information could be compromised. These might include compromised card readers, paper stored in a filing cabinet, a weak database or a secret tap into your wireless network.

With the EU General Data Protection Regulation (GDPR) taking effect in May 2018, organisations need to be particularly careful with handling customers’ personal details. The Information Commissioner’s Office (ICO) will probably treat inadequate or non-implementation of the PCI DSS as a failure to implement appropriate “technical and organisational measures” to protect personal data. Companies that breach the GDPR could face significant enforcement action from the ICO, as well as fines and penalties from acquiring banks.

Jeremy King, director at PCI Security Standards Council, said in an emailed statement: “The new EU legislation will be an absolute game-changer for both large organisations and SMEs. The regulator will be able to impose a stratospheric rise in penalties for security breaches, and it remains to be seen whether businesses facing these fines will be able to shoulder the costs.”

To meet the PCI DSS’s requirement, the majority of SMEs can self-audit and complete a self-assessment questionnaire (SAQ) as well as conducting quarterly Approved Scanning Vendors (ASV) scans.

However, it takes a lot more to become PCI compliant than just a completing a tick-box SAQ. Merchants and service providers that fail to implement the requirements are leaving themselves wide open to payment card breaches, reputational damage and heavy fines should their compliance materials show inaccuracies.

How IT Governance can help

Our PCI DSS Support Contract for SMEs is a cost effective, all-inclusive PCI DSS assistance programme for Merchants and Service Providers needing to self-assess. It dramatically reduces the workload required to satisfy the PCI Data Security Standard.

This package includes:

  • A PCI consultancy support service, which helps you identify the right SAQ to complete, and provides the appropriate support and advice to achieve full compliance with the PCI DSS.
  • A PCI DSS Documentation Toolkit, which gives you all the documentation required by the PCI DSS. Designed by a leading Qualified Security Assessor (QSA), this toolkit contains all the expert guidance, advice and documentation templates you need to keep your payment card operations running smoothly and securely.
  • HackerGuardian vulnerability scans, which offer a vulnerability assessment scanning solution designed to identify website vulnerabilities and, where relevant, to achieve and maintain PCI compliance.
  • Security awareness and training courses, which range from increasing your employees’ knowledge of the PCI DSS to providing comprehensive and practical coverage of all aspects of implementing a compliance programme.

Find out more about our PCI DSS Support Contract for SMEs >>