PCI DSS for small merchants

Share this article:
Mathieu Gorge, CEO and founder, VigiTrust
Mathieu Gorge, CEO and founder, VigiTrust
The Payment Card Industry Data Security Standard (PCI DSS) governs how merchants who either process, store or transmit credit cardholder data must protect such data. Created in 2004 by MasterCard, Visa, American Express, JCB and Discover, it harmonizes the security controls imposed by brands. However, all “actors” of the credit card payment chain must comply: merchants, payment service providers, banks and hosting providers (if applicable).

PCI DSS applies to mom-and-pop shops, as well as household-name retailers. The validation process is based on annual credit card transactions, not monetary value. At the lowest level, you need to validate compliance by filling out a self-assessment questionnaire (SAQ) and performing quarterly scans using an approved scanning vendor (ASV). At the highest level, a qualified security assessor will perform an on-site audit annually. Quarterly scans are also mandatory.

All merchants need to comply with all requirements, regardless of compliance validation mechanisms. So small merchants need to ensure they have appropriate technical and physical security safeguards and policies and procedures in place. They also need to train all appropriate staff upon hire –  and once annually – in matters regarding credit card security. This is often not covered by merchants who can be misled by compliance readiness programs, some of which merely include mandatory quarterly scans and SAQs, but leave out training or policies.

Many banks already have written to merchants about PCI DSS to aggressively promote compliance programs by publishing risks associated with noncompliance, such as bank fines, card brand fines, potential withdrawal of ability to process credit cards, Visa forensic investigation costs, and consumer card replacements costs. However, smaller merchants feel that this can't happen to them because while the brands do publish aggregate numbers of overall fines, they do not name and shame. The media, however, does do that, which creates huge reputational risk for small merchants who, unlike a TJX, which has enough money to manage a security incident and bounce back, will greatly suffer, lose clients and may even go out of business.

Visa is now satisfied that 96 percent of its Level 1 merchants in the United States are compliant, whereas Level 4 merchants' compliance is “moderate.” Focus is therefore shifting toward smaller merchants in specific industries, especially hospitality. Last year, Visa identified vulnerabilities targeted at the hospitality sector, which was then confirmed in an independent report showing that hackers steal card data from this vertical more than any other.

So how do small merchants comply? First is descoping components. Can you take out noncritical elements to reduce PCI DSS scope? Can you map credit cardholder data flow in an ecosystem diagram? Do you verifiably protect data according to PCI DSS technical, procedural and skills-transfer requirements? Remember, this is not rocket science and should be done to comply with laws governing personally identifiable information.

Do enroll in a compliance program, but ensure it covers more than just scans and the SAQ. PCI DSS readiness programs also must include staff training and policies and procedures. Maintain security levels at all times to achieve continuous compliance and reduce recertification costs.

PCI DSS version 2.0 was unveiled in September at the PCI Community Meeting in Orlando, Fla. Its impact on small merchants remains to be seen. However, security breaches involving credit cards definitely will happen to both small and large merchants. Fines will be issued, and reputational damage will take its toll. The last thing small merchants need at this challenging time for business is reputational damage. Keep your customer credit cardholder data safe to keep your business safe and use PCI DSS as a strategy to do so.


Mathieu Gorge is the CEO and founder of VigiTrust.
Share this article:

Sign up to our newsletters

More in Opinions

The cool factor: New tech in banking has an edge

The cool factor: New tech in banking has ...

Disruption is expected; financial crime should be, too.

Me and my job: James Hill senior security architect, Consolidated Data Services

Me and my job: James Hill senior security ...

James Hill senior security architect, Consolidated Data Services (CDS), discusses his role at his organization.

Ahead in the cloud

Ahead in the cloud

Growth businesses are always looking for flexible ways of working that reduce capital and running costs, while securely delivering the data users need, when and where they need it.