Four Steps for Protecting Customer Data


Accepting credit and debit cards is a no-brainer for many small businesses. However, if you fail to safeguard the consumer information received with these transactions, you may end up facing major fines and losses.

The PCI (Payment Card Industry) Security Standards Council, which was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa, Inc., released a set of security standards to be followed by any business accepting credit and debit card payments.

Kathleen Ervin, vice president of Relationship Management for Solveras, a division of TransFirst, said many small business owners are either unaware of PCI standards or are out of compliance with them.

“There are a lot of merchants out there overlooking PCI,” Ervin said. “If a small business owner is not able to prove they are PCI complaint by these standards, and there is a breach, they can be fined for each instance of the breach. The fees can be extremely excessive and for some of the businesses we work with, it can very well put them out of business.”

Before getting into the nitty gritty of PCI compliance, Ervin said there is one golden rule businesses should aim for when obtaining consumer information: “handle [customer] data the way you would want your data handled.”

Here are four tips from Ervin on how to become PCI compliant.

No. 1: Visit and determine your merchant level. This is the kind of business you are, and how you are accepting cards, Ervin said.

“Understand where your business fits [into] the PCI universe,” she said. “This talks about the kind of transactions you have.”

The levels of compliance you will need to meet depend on how much money you are processing and how you are collecting the data.

No. 2: Identify your validation type. On, you will find different questionnaires to determine the standards you must meet. Figure out which “business scenarios” best match yours here, then take the quiz, said Ervin.

No. 3: Pass a vulnerability scan. If necessary, you may have to implement a vulnerability scan by a vendor to ensure there are no open areas that can be breached, Ervin said. You must have proof of this scan in order to be compliant.

No. 4: Obtain a Certificate of Attestation. Once you have passed all of these steps, you must obtain a certificate from the PCI Security Standards Council. This must be done yearly.

Also, remember this is an ongoing process. As your credit processing increases or you add new methods of payment -- such as mobile and tablet payments -- your standards will change, Ervin said.

“Make sure you are secure and testing to the best of your knowledge,” she said. “The [standards] increase merchants’ awareness about how they are taking and storing cards.”

The National Federation of Independent Business held a Webinar this week on how to become PCI compliant. To learn more click here.

Click here for more articles on “Protecting Your Small Business.”