Keeping Ahead of the Thief: PCI Compliance for the Small Business

Henry Helgeson |

September 30, 2008

TJX, Hannaford, Okemo Mountain and others have drawn massive attention as large merchants who have been breached and had millions of consumers' data compromised. While breaches at these large corporations certainly represent more data than that of most of the 6 million small merchants nationwide, small businesses are not exempt from having consumer credit card information stolen, or from meeting the same requirements for protection of sensitive consumer data. In reality, it is imperative that these businesses begin to see themselves as targets and put steps in place to combat data theft.

However, there is a lack of education for small merchants about data security and compliance issues.  According to Visa and the National Federation of Independent Business (NFIB), 57 percent of small
businesses do not view securing customer data as something that requires formal planning, and 39 percent say they rely on 'common sense' to keep their data safe. What these businesses must realize is that common sense is simply not enough to comply with the payment card industry data security standards (PCI DSS), which must be met by any merchant accepting credit card payments. And as more and more of the larger merchants become compliant and the high-profile breaches slow, industry attention will turn to the small merchant.

PCI DSS compliance can be costly; large companies are spending millions on complex technologies to protect cardholder data. But there is good news for small merchants: depending on the method of
processing and transaction volume, compliance can be achieved relatively easily and quite affordably. Here are several steps small businesses can take to work towards the safety and security of customer's
data and that can also aid in becoming PCI compliant:

- View compliance as a necessity, not an inconvenience. Merchants should view compliance as an opportunity to improve and verify the security of their customers' card data.

- Educate yourself on PCI. Research the recent data losses and the growing acronym PCI DSS. Additional information can be found at https://www.pcisecuritystandards.org/tech/saq.htm.

- Keep yourself up-to-date on compliance. Requirements and timelines for compliance are continually amended; small businesses need to ensure they are armed with the most up-to-date knowledge and
equipment. This is especially important for those considering opening their own establishment, since new Level 4 merchants must be compliant by October 1, 2008. There are merchant education strategies for those independent merchants seeking reliable direction in addressing PCI DSS.

- Opt for services that ease the burden of PCI compliance. When implementing your POS system; look for solutions that simplify PCI compliance by choosing a solution that encrypts card data at the 'read
head' such as the MerchantWARE solution from Merchant Warehouse - to ensure sensitive customer data is never exposed. With no access to consumer credit card data or personal information businesses will automatically meet five of the twelve PCI DSS security standards, including the most intensive and costly.

While adhering to these tips will not guarantee compliance or that a business will not be hacked, they can help forge a path towards better safety and security for customer data, while building a solid foundation for mandatory compliance requirements. And just as important is the invaluable asset of customer trust; putting customers' minds at ease by informing them their data is safe and secure will only contribute to their ongoing loyalty and keep business growing.

Henry Helgeson - President