Are you ready? As you may or may not be aware, starting next summer ALL merchants including the smallest will be required to become PCI compliant. With this in mind, many acquiring banks have already started mandating compliance amongst their merchants. Some merchants, however, will be caught off guard unfortunately.
There are a lot of misconceptions, rumors, and falsehoods floating around about what is required for these small merchants in terms of compliance fulfillment. One of the main misconceptions is the belief that, as a small merchant, there is a different set of obligations that must be met. This is false. The core principles and accompanying requirements are the same regardless the size of the merchant. These are:
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
Some of the example misconceptions I have heard include:
Rumor: As a small merchant, I do not need to secure my cardholder data environments at each location.
Fact: As a small merchant, you must protect your cardholder data per all the requirements in Requirement #3
Rumor: Unless my acquiring bank tells me I have to be compliant, it is not necessary.
Fact: Even if your acquiring bank does not inform you of your obligations under PCI, you are still required to be compliant.
Rumor: As a small merchant, we have a different set of rules for compliance.
Fact: Large or small, all merchants have the same principles and obligations for PCI compliance. The only differences are in reporting requirements back to your acquiring bank.
Once again, I know small merchants will have many questions when it comes to their obligations under PCI. This will be a challenging feat for many of these merchants to meet. I suggest you contact one of our consultants at Nuspire and we can help answer questions you may have. My advice in this area for the small merchants is to start by getting a handle on what you have for IT systems on your network(s). Here are some questions that will get you started on the right track:
- Do you have an IT Policy? If not, start creating one right away.
- Do you have a Information Security Policy? If not, start creating one right away.
- If you have multiple locations do you know what is on these networks? If not, start an inventory and network survey project to see what you have and how it is configured.
- Is there consistency across your network? You can see how, the survey above will come in handy in determining this.
- Do you have a budget for possible network changes? Chances are there will be gaps that you will be found during the process that need to be re-mediated.
If you start with the above, and then contact a consultant, you will be ahead of the game. The worse thing you can do is wait until the last minute. Consultants from Nuspire can be reached via telephone at 248-896-6150 or email at info@nuspire.com.