PCI DSS (Payment Card Industry Data Security Standard) is a set of standards businesses must adhere to when accepting card payments to ensure the security of sensitive cardholder data. Compliance with the PCI DSS is important for all businesses to protect both their customers' sensitive data and their reputation.
Here's a guide on how you can become PCI compliant:
1. Determine your PCI compliance level
Small businesses can fall into one of four categories for PCI compliance based on their transaction volume:
- Level 1: Merchants processing over 6 million card transactions with Visa or Mastercard per year.
- Level 2: Merchants processing 1 to 6 million transactions with Visa or Mastercard per year.
- Level 3: Merchants handling under 1 million transactions with Visa or Mastercard per year but over 20,000 e-commerce transactions.
- Level 4: Merchants handling fewer than 1 million transactions with Visa or Mastercard per year across all processing channels.
2. Define your scope
Identify all locations and flows of cardholder data, including any systems and processes that (if impacted) could compromise its security, and document accordingly.
3. Implement security measures
Implement security measures to protect cardholder data, including firewalls, encryption, access control, and password protection. You should also ensure that you're using only trusted third-party vendors for payment processing and card storage.
4. Train employees
Train employees on PCI compliance and data security policies. Make sure they understand the importance of protecting cardholder data and how to handle sensitive information.
5. Regularly review and update security measures
Review your security measures regularly and update them as needed. This can include performing vulnerability scans, penetration testing, and updating software and hardware as necessary.
6. Complete a Self-Assessment Questionnaire (SAQ)
Once you've determined your PCI compliance level, scope, and implemented the necessary security measures, you'll need to complete an SAQ to confirm you are meeting the relevant controls applicable to your business. There are several types of SAQs, and the one you'll need to complete will depend on your business's payment processing methods.
7. Complete an Attestation of Compliance (AOC)
Once you've completed your SAQ and implemented security measures, you'll need to complete and sign an AOC to confirm your compliance with the applicable PCI standards.
8. Maintain compliance
PCI compliance is not a one-time event, it's an ongoing process that should form part of business-as-usual activities. You'll need to regularly review your security measures, perform vulnerability scans, and update your systems to stay compliant.
By following these steps, your retail business can become PCI compliant and protect your customers' sensitive data. It's important to remember that compliance is an ongoing process, and you'll need to regularly review and update your security measures to stay compliant.
Still have question?
We appreciate that the subject of PCI compliance is complex, however, you can seek advice and support from your card payments provider. If you’re a Bira member using Global Payments and are unsure if you are compliant or not, please contact the membership team on 0121 446 6688.
For further information on our card processing membership benefit,
Related articles
Resources-
Self Assessment deadline less than 100 days away – HMRC guidance
With under 100 days remaining until the 31 January Self Assessment deadline, HMRC is encouraging individuals, including retailers, to start their tax returns early.
-
Avoiding counterfeit banknotes | Free training module from Bank of England
The Bank of England has shared a free online training module on banknote security features.
-
How much cash do you still accept? Independent retailers can respond to this survey today
Bira is working with UK Finance and other organisations who form the UK’s wholesale cash industry to gain vital information to ensure businesses get the best possible service.
-
Using Reviews - Don’t let your customers be secret admirers
In a world obsessed with ‘friends’, ‘sharing’ and ‘likes’, the importance of your happy customers spreading the word should be a critical part of your business plan.