This is a guest post written by Zach Walker, director of technical support, CISSP, ASV at SecurityMetrics.
When it comes to PCI DSS compliance, business owners can have unique struggles securing customers’ card data. While small businesses process and store less card data than large businesses, they also probably have fewer resources and a smaller budget for security and compliance efforts.
Here are 5 tips to help businesses get PCI compliant and properly secure data.
1. Create policies and procedures
Smaller businesses are often less likely to consistently follow established policies and procedures. Because small businesses only have a handful of systems, it might seem like a waste of time and resources to establish security policies.
However, setting up policies and procedures is essential to business security. Business owners need to establish and follow consistent policies and procedures, such as employee computer usage, physical security and data security policies.
Remember to devote time to implement these policies. Even the best security policy is worthless if not implemented throughout a business.
- Determine and document necessary security policies and procedures
- Implement policies from the top-down
- Regularly train employees on security policies
2. Train yourself and your employees
If you think your employees know how to keep your business's data secure, think again. In fact, many data breaches start because well-meaning employee's either forget security best practices or don't know what they're required to do.
You need to regularly train yourself and your employees on your policies and procedures, as well as basic data security best-practices. Constant security training will help employees better implement policies and follow security practices.
- Set up regular training meetings for employees (e.g., monthly, quarterly)
- Train employees to have good judgment and healthy skepticism
- Give staff frequent reminders about security best practices
3. Keep systems up to date
Most vendors routinely release new updates and patches for security vulnerabilities (e.g., malware, Ransomware). These security updates are critical for not just a business’s computer, but also the computer's applications, any network hardware/firewalls, and any mobile devices used. All systems and devices that are on a business network need to be consistently updated.
- Subscribe to vendors’ patch/upgrade list to stay current on the latest security patches
- Establish a schedule and process to regularly update business systems
- Run quarterly vulnerability scans to find and then fix security holes
4. Only store card data that’s necessary
Did you know that at least 67% of PANscan usersfound unencrypted card data on their systems? Businesses should never store unencrypted credit card data.
If you're looking to simplify your PCI compliance, limit how much card data you store. The less data you store, the less time and resources you need to dedicate to securing that data.
- Don't store card data that you don't need
- Scan your network to find any unencrypted card data
- Determine what credit card processor your business needs
5. Get help from an expert!
If you have a PCI program with a provider, like SecurityMetrics, take advantage of their support team, they can help you with any questions you have about PCI DSS compliance.
If you don’t have a PCI program, there are many resources from the PCI Security Standards Council and other industry experts that can help you come up with a plan to reach PCI compliance.
- Get help from security experts (e.g., SecurityMetrics support agents)
- Follow security blogs and articles for tips on security best practices
Remember, becoming and staying PCI compliant is worth the trouble, and it can save your business in the long run.
SecurityMetrics is a global leader in payment data security for all business sizes, and as an Approved Scanning Vendor and Qualified Security Assessor, has tested over 1 million payment systems for data security and compliance. Among other things, SecurityMetrics offers PCI audits, PA-DSS audits, consulting, mobile device vulnerability scanning, penetration testing, security appliances, data discovery tools, and forensic analysis. For more information visit www.securitymetrics.com