Forget HIPAA – If You Accept Credit Cards, You Have Another Compliance Standard to Worry About

Forget HIPAA – If You Accept Credit Cards, You Have Another Compliance Standard to Worry About

High-profile data breaches hit the headlines every year as seemingly impenetrable global enterprises fail spectacularly to protect confidential customer data. Chipotle was the latest example of a big-name company unable to keep customer credit card numbers out of the hands of cyber attackers. However, it’s small businesses that make up the overwhelming majority of data breach victims and, unlike everyone’s favorite oversized burrito joint, SMBs rarely have the resources to recover.

If your business accepts credit or debit cards, then you owe it to your customers to ensure that their financial and personal information are kept safe. Those small plastic cards that we’ve come to rely on so much might be convenient, but they can spell disaster if they end up in the wrong hands, which is exactly why the Payment Card Industry Data Security Standard (PCI-DSS) was created in 2004.

What Is PCI Compliance?

The PCI-DSS exists to set security minimums for organizations that accept debit or credit cards for payment. Although the standard is not part of federal law, and compliance has only been legally mandated in Minnesota, Nevada and Washington, wandering astray of these regulations in any state could put you out of business.

In fact, even if you were doing business in one of the other 47 US states, you could still be liable for all charges involved if a data breach occurred. Because beyond damage to your reputation, the union behind the PCI-DSS may revoke your card-processing privileges.

Many small businesses balk at the idea of going to the lengths necessary to meet yet another compliance standard, but that doesn’t change the fact that it’s still imperative if the majority of your payments come from those tiny pieces of plastic, which we’re willing to bet is true. Before the PCI-DSS was established, each credit card company provided their own sets of standards and guidelines. So hey, it could be worse.

What Does It Take to Become PCI DSS-Compliant?

Like any set of cybersecurity regulations, PCI-DSS requirements are fleshed out over hundreds of pages. It would take an individual at least a month to sift through it all. Thankfully it can be broken down into six basic categories:

  • Build and maintain a secure network
  • Protect cardholder data
  • Maintain a vulnerability management plan
  • Implement strong access control measures
  • Regularly monitor and test networks
  • Maintain an information security policy

That list is...strikingly similar to the Spectrumwise 7-layer security approach. And that’s because when it comes to cybersecurity, industries share a number of best practices. So, if you’re HIPAA-compliant and want to adopt PCI-DSS, you’re probably already halfway there.

Before you can start wading into any of the details, the first step involves determining your compliance level, which varies depending on which credit and debit cards your company accepts, as well as the number of transactions it carries out per year. For example, some payment card providers separate their compliance levels by transactions made on-site and those made online.

Once you’ve determined your compliance level requirement, you’ll need to complete a PCI-DSS self-assessment questionnaire (SAQ). There are nine SAQs in total, so you’ll need to choose one that works with your setup. Depending on the way you handle card information, only some of the requirements will be relevant to your company.

Fewer requirements sure sounds nice, but just figuring out what you need to do is difficult enough. For example, if you outsource all your cardholder data functions, then a lot of the requirements will be irrelevant to you.

After completing the questionnaire, you’ll need to complete the corresponding Attestation of Compliance (AoC) and submit it to the relevant parties, such as the credit card providers you support. Afterwards, you’ll need to perform an annual validation of the compliance, which will usually be taken care of by a qualified security assessor. In short, a qualified IT provider can easily take care of the technical side of compliance -- but prepare yourself for an unbelievable amount of paperwork!

PCI compliance means adhering to a rigid set of security standards and policies. And although there’s nothing simple about it, Spectrumwise is prepared to to take a sizable portion of that burden off your shoulders. Whether it’s PCI-DSS compliance, HIPAA, or just plain old smart business, call us today for the best support in town.