It seems that everyone accepts credit cards nowadays – including the farmer who sells produce at my local farmer’s market (which I appreciate because I never have cash)! Anyone who accepts credit cards or debit cards, even a sole proprietor who processes a small number of transactions, must be in compliance with the Payment Card Industry Data Security Standards (“PCI DSS”). Many small businesses may not have heard of the PCI DSS or assume that the requirements do not apply to them or that compliance is too expensive. To the contrary, all merchants that accept credit cards must comply with the PCI DSS, and the costs of a breach generally outweigh the time and expense to set up a secure and compliant card payment system in the first place.

Small businesses are prime targets for hackers because they often have lax security measures. Hackers can break into hundreds of unprotected small business as easily as one large business with tight security. Without the proper security in place, a hacker can identify a security weakness and steal customers’ card data from you in seconds, leaving you to clean up the mess.

Small businesses often think that it is too costly to employ adequate data security measures. But consider the following common costs of a security breach:

  • Time and money spent investigating the breach to determine how it occurred and which customers were affected;
  • Your bank will be fined by the payment card brands and your bank will pass those fines on to you in the form of monetary penalties, increased transaction fees, and other fines;
  • Banks that issued the credit cards to your customers have to pay for the fraudulent charges and these banks could sue you;
  • Expense of notifying affected customers; and
  • Customers may take their business elsewhere because they had to deal with the trouble of disputing charges and getting new credit cards or because they worry about future breaches.

On the other hand, the cost to comply with the PCI DSS can be low for a small business. The requirements are essentially security best practices. Compliance is generally based on the way in which a merchant processes card transactions.

  • To keep PCI compliance costs down, businesses that only process a few transactions should use a third-party processor, such as Square, who takes on much of the PCI compliance burden.
  • Businesses that have more volume and use a dial-up terminal must have additional security measures, although these are common security procedures that a company of that size already likely has in place, such as encryption and restricting access to cardholder data.
  • Where PCI compliance may become an issue is when a small business accepts only a few credit card transactions, but then uses a full-blown POS system on one computer connected to the Internet without adequate firewalls. In this scenario, the security breach risk is much higher and, therefore, the PCI burden is also much higher, including quarterly vulnerability scanning.

For a little upfront effort to comply with the PCI DSS, a small business can greatly reduce its risk of facing the unpleasant and costly consequences of a security breach or of otherwise being found in violation of the PCI standards.