From listening to customers it’s becoming clear that one of the biggest obstacles for PCI compliance is just that, on its face, it seems very complicated. When the requirement was first announced, even industry professionals found some of the language to be esoteric and not easily understood without a few readings. A lot of the PCI DSS requirements have to do with network security and wireless network integrity which seems to put a lot of people off.
Much of the information on network security is the type of language that only office IT (internet technology) professionals understand. The business owner reading the PCI compliance requirements for the first time often finds this a daunting task to perform. The next natural step, for small business owners especially, is to start coming up with reasons, heard before on this blog, for why they maybe don’t actually need to be PCI compliant. Not to beat the issue to death, but all merchants who process credit cards, regardless of the size or type of business or annual credit card processing volume, must be PCI compliant. Don’t think of it in terms of your business’s well being, rather consider the implications of the PCI DSS requirements in terms of your customers’ well being, and the integrity of the payment card industry as a whole.
If your small business isn’t super high tech with lots of equipment and a large number of employees, PCI compliance isn’t difficult at all since the most complex aspects of being PCI compliant refer to network protection. If you are a basic small business with a computer, phone and stand alone dial up credit card terminal, you really only need to be concerned with a few of the PCI DSS goals. Goal 2: protect cardholder data – which simply means take the normal precautions of not electronically storing any credit card account information and keeping other cardholder information under lock and key. Goal 4: implement strong access control measures – which basically means limit employee access to cardholder personal data and equipment or computers containing cardholder date only to those employees who require access. And Goal 6: maintain an information security policy – meaning your company now has to write out your policies regarding storage and protection of cardholder information. Any company worth its salt that is offering PCI compliance will usually even have a handy security policy template for you to just fill in some blanks with your name and company information.
See this site’s home page for more information on becoming PCI compliant today (for free!)