What does PCI mean to Merchants?
Some online merchants think if they select a PCI Compliant gateway and shopping cart that they are automatically PCI Compliant. It is important that online merchants remember that physical location security and written policy is part of the process as well. Merchants are required to submit a SAQ (Self Assessment Questionnaire) to their acquirer once a year, but just submitting the SAQ may not be enough. It is also important that employees undergo training on security policies. Businesses must have ongoing assessment and remedies.
Merchants may think that PCI Compliance is for large businesses and may be too expensive for the average small retailer; however fines from noncompliance are much greater. Businesses will not only lose out on audit fees but also will have to consider a loss of reputation. Even if you are a smaller business, you are still required to be PCI Compliant regardless of the volume your business does.
Some businesses think if they install a firewall they are able to effectively and safely store card holder data. Although the storing of card holder data is strongly discouraged, if you have to store data a firewall will not be enough. Firewalls don’t ensure your devices, such as laptops, will not be stolen or sent out for repair. Make sure that all laptops are properly wiped before being transported.
The majority of small business owners don’t really have an IT person, or any idea of where to start. There are many websites that can support small business owners in ensuring their compliance. The PCI Security Standards Council website is a helpful resource.