How to Make PCI Compliance a Part of Your Business Plan

A business plan represents the scaffolding upon which a successful business is built. It details how the business is organized, establishes operating procedures and lays out the goals the business intends to achieve. Increasingly, today’s business plans must also account for another critical consideration: data security. As data becomes ever more valuable and attacks by fraudsters become progressively more sophisticated and costly, protecting both business and customer data is more important for modern businesses than ever before.

If your business accepts credit cards, understanding and complying with the Payment Card Industry Data Security Standard (PCI DSS) is an essential part of your business plan’s approach to security. As with other data center certifications, PCI DSS is a set of standards intended to ensure that sensitive data—in this case, credit card information – is handled safely and appropriately, safeguarding businesses and keeping customers and their credit well-protected. Achieving PCI compliance isn’t always simple, but the tips below are vital to meeting this important standard.

Inventory Your Data

Data is often among a business’ most valuable assets. In fact, single records of a person’s identifying information—referred to as “Fullz”—are typically valued at $30 or more. And yet, many businesses lack a complete understanding of the data they possess and how it is used and stored. To better understand your business’ data security needs, begin with a complete audit of your data.

Record and classify the various kinds of data your business collects and review the details of how that data is stored and used, who has access to it and what existing security measures are in place.

Implement a Privacy Policy

Customers want to know that their personal information is protected, and your employees need to understand what is expected of them when it comes to privacy and security. A detailed privacy policy addresses both of these needs by specifying what data may be collected, how it may be used and how your business keeps it secure.

If you don’t already have a privacy policy in place, take the time to create and implement one and review it with your employees. If you do have an existing policy, be sure to offer occasional refreshers so that everyone in your organization is on the same page.

Deploy Layers of Security

Layered security, also called defense in depth, is a principle common throughout the data security field. Because individual security measures may be vulnerable—surveys show nearly three-quarters of consumers use duplicate passwords and often don’t change them for years at a time—the best approach to securing data is incorporating a variety of layered measures into your overall security plan. Multi-factor authentication is a valuable first-line defense for consumers.

A properly configured firewall also offers enhanced protection for your business’ networks. On the administrative side, restrict physical access to networked computers and be sure to change the default passwords on any software and devices used by your business.

Plan for Data Loss

The unfortunate reality of data security is that even the best-laid plans cannot completely eliminate the risk of data loss and theft. Considering the average data breach costs approximately $141 per record stolen, not to mention the damage associated with loss of customer trust and goodwill and other factors, developing appropriate response and contingency plans is absolutely vital.

Begin by taking account of all laws and regulations to which your business may be subject in the event of a data loss or theft and ensure that your employees understand how to respond appropriately. Determine a chain of command so that every member of your organization knows how and to whom to report security issues, and reinforce the importance of treating every potential issue or suspicious activity as a legitimate breach.

Focus on Employee Training

While active security measures and strong protocols are essential to keeping your business’ data secure, this doesn’t account for one of your statistically greatest risks: your own employees. A 2014 study by the Ponemon Institute found that 31 percent of data breaches were caused by simple employee negligence or other “human factors.” To address this, work to turn your employees into security assets rather than risks.

Require that all organization members use strong passwords for any business applications and set clear policies regarding the use of personal devices on company grounds. Offer ongoing training to help employees recognize phishing, social engineering and other security risks, and make sure you have someone on staff to answer security-related questions and assist with any issues. It’s also advisable to establish a “phishing mailbox” to which employees can forward any suspicious emails for closer inspection.

Enlist Expert Assistance

Data security is a vast and complex issue, and it’s one you need not face alone. To ensure that your business plan is doing everything possible to enhance data security and meet PCI compliance standards, reach out to your bank or payment processor for assistance. Banks and processors have a vested interest in making your business’ data as secure as possible, and they likely have security professionals on-staff who can offer expert guidance specific to your business and its needs.

In fact, some financial institutions even offer PCI compliance audits done by a Qualified Security Assessor (QSA). Reaching out to your bank or payment processor also helps to develop working relationships that are often invaluable in the event of an actual breach, potentially saving your business time and trouble and facilitating a rapid and effective response.

Ready for a reality check? It’s estimated that roughly half of small businesses that suffer a data breach are out of business within six months. Even if your business is large enough to withstand such an attack, the financial and reputational costs can be devastating.

For this reason, it’s essential that your business plan includes a detailed approach to keeping your business’ data protected and staying PCI compliant.

By implementing the steps laid out above, you can reduce your exposure to these risks and give yourself – and your customers – greater peace of mind.