With PCI 3.0 becoming effective this year, we’ve spent a lot of time talking about how businesses can prepare now to make sure they’re compliant for their 2015 audit. Yet in all of our discussions, we haven’t talked much about small to medium-sized businesses that fall beneath the $100 million revenue range.
Consider that compliance can be a burden for enterprise brands with staff, budget and resources and it becomes clear why smaller businesses face some unique challenges. Payment card security is about more than passing audits; it’s about being part of a larger risk management and security program that can help defeat the sophisticated cybercriminals who target applications every day. If giants like Target (2013 revenue of $73.3 billion) and Neiman Marcus (2012 revenues of $4.3 billion before being sold in 2013) can suffer breaches, anyone’s at risk.
This is especially true for those businesses that often lack the deep budgets and on-staff security expertise of their larger competitors. These companies need help in understanding both the risk of non-compliance and the PCI standards they must meet.
Compliance for the Non-Enterprise
If your organization handles cardholder and finance data, I don’t have to tell you about your compliance challenges. In addition to improving your security posture, you’d probably like a cost-effective, comprehensive process that helps you avoid the repercussions of a breach or a failed audit. The good news is, you can do it. The trick is starting now and adopting a proactive approach to PCI compliance.
- Build a culture of compliance. Compliance is no longer an annual task, but a daily business-as-usual part of the workplace. For many of you, that could mean educating your staff, partners and leadership about their roles in payment card security. Take a look at our earlier PCI webinars to find out how you can prepare your organization.
- Don’t be afraid to outsource. Smaller merchants should consider options that reduce or eliminate the amount of cardholder data with which they work. The right third-party provider can lighten your compliance burden and help you experience smoother, faster audits. Be sure to work with validated providers who successfully pass their own assessments, and get all responsibilities spelled out in contracts. Also consider outsourcing alternatives like payment gateways or processors that offer host capture and tokenization options, which can actually remove cardholder data from your system to P2PE (point to point encryption) for card present (POS) transactions.
- Work through a compliance calendar. The best way to tackle your upcoming operational and technical changes is by following a timeline starting a year before your 2015 audit.
12 months out: Define your cardholder data environment (CDE) and take steps to limit the scope of your CDE. Level 3 and Level 4 merchants aren’t required to have a QSA led audit, and can rather validate their compliance by completing one of the SAQs or self-assessment questionnaires provided by the PCI council. These businesses should consider using an online PCI assessment tool to determine which SAQ they need to complete, then use it to walk through the process.
9 months out: Remember, merchants under that $100 million revenue mark want to stay away from cardholder data. But if you are working with this type of information, you’ll want to do cardholder data searches across your entire environment, and have a pen test done to validate your CDE boundaries.
6 months out: Review your documentation and verify your understanding of 3.0 requirements.
3 months out: Perform a thorough pre-assessment to identify any final needs. You’ll likely find gaps and starting early will give you time to address them in time for your 2015 audits.
And there you have it: your roadmap to 3.0 compliance. Don’t hesitate because you think your lack of resources and staff will hold you back. The truth is, you can get compliant in time for your 2015 audit. And while that will be an important focus for your business this year, remember the bigger picture: your focus on getting ready for PCI DSS 3.0 shouldn’t take the place of putting together a larger security and risk management program. The truth is that compliance does not equal security and that your security program should be built on best practices and an assessment of risk in your organization. If you put the emphasis on security and make compliance a reporting function of that program, you’ll have a better chance of keeping cyber-attacks at bay and passing your 2015 audit.