Subscribe to Entrepreneur for $5

3 Key Strategies for Achieving PCI Compliance for Your Business

Opinions expressed by Entrepreneur contributors are their own.

When you're starting a new business, the list of tasks you have to complete is a mile long and includes everything from sourcing finance, and designing products, services, websites, and logos, to setting up corporate structures and establishing methods of operation. One of the areas which fledgling entrepreneurs really need to be aware of, though, in this day and age is PCI Compliance.


PCI DSS, as it is referred to, stands for Payment Card Industry Data Security Standards. These standards have been put in place to ensure that all payments taken are secure, whenever merchants accept payments from their clients via credit or debit cards. All companies, no matter how big or small they are, must follow this set of requirements if they accept, transmit, store, or process cardholder data.

Although the thought of becoming PCI compliant may seem overwhelming and time consuming, it's an important element of trading digitally in the current technological age, particularly when there are multiple causes of payments fraud you have to keep an eye out for. By ensuring that your business is compliant, you will protect your venture from damaging hacks and other leaks of confidential customer information, and will build and keep customer trust over the long term.

Keep in mind that since it is the responsibility of business owners to make sure that all cardholder data is completely protected, if any consumer details are stolen and you can't show that your firm was compliant, you could face a variety of negative consequences. These may include fines, penalties, an inability to accept card payments in future, and even potential business closure.

If you need to know what's involved in safeguarding your business and how best to go about it, read on for some handy tips you can follow today.

1. Understand what information must be protected.

The first step to take regarding PCI compliance is understanding what qualifies as sensitive data needing protection. Be aware that the type of information that needs to be handled carefully is not just financial data, like credit card numbers, but also any personally identifiable information that could be linked to an individual.

Next, be clear about where such data is kept. You should analyze exactly where in your business the customer information travels, and how it does so. Understand what happens to information once it leaves your customer's hands and enters your firm's systems, whether for data processing, storage, or transmission.

You should be clear on how the information moves from system to system so that you can ensure it remains protected during each step along the way. Remember that this doesn't just include online systems, but also manual ones, such as the collation of data within an office environment, or details collected on site at customers' premises or other locations.

2. Do not store data.

If at all possible, one of the best things you can do to help your business achieve PCI compliance is to not store any sensitive data at all. Looking at the systems you analyzed above, consider whether, at each point along the cycle, the information really does need to be retained and stored, or not.

If you can, utilize an e-commerce system that makes it possible for you to not have to store data after customers have been charged in real time (there are plenty of products on the market that boast this feature, so you shouldn't have trouble locating one).

If there is an absolute need for details to be stored, then you should only give access to this database to people within the company who really must access it. Each of these team members should also be given their own unique credentials to use when logging in. Furthermore, all company employees should also be clear on the importance of protecting customer information, and the potential consequences which could be faced by the business if it is not.

3. Have firewalls and other computer security measures in place.

Another good idea that will help you achieve compliance is putting firewalls in place on all of your computer systems that are used for work-related purposes. Top security is achieved from multiple layers of protection, and firewalls can act as a first line of defense in cyberspace, helping to stop hackers from accessing information via your Internet connection.

Don't just "set and forget" firewalls though — they should be properly configured, as well as checked on a regular basis to ensure that no unprotected holes in security have come up. In addition, all your devices should be password protected and encrypted. Passwords should be strong (that is, containing upper- and lower-case letters, plus numbers and symbols), and changed around every two to three months.

In addition, don't give out computer/password access to contractors, consultants, technicians, or other external people at the drop of a hat; and limit any remote access to your network as much as possible. Also, it pays to regularly check your computers and point-of-sale machines for rogue software or skimming devices.

Entrepreneur Editors' Picks