Many small business owners think PCI compliance just means hiring the right merchant service provider. But protecting your customers’ identities and credit card information goes beyond the screen. Find out what you should be doing offline to meet PCI compliance standards.
1. Create Clear Policies and Train Employees
Good PCI compliance starts with clear company policies about how customer information is obtained, stored, and used. Far too many small business owners casually incorporate credit card processing without doing the hard work of writing and training employees in appropriate security policies. Make sure your policies address physical security, destruction of records, and computer privacy protocols.
2. Never Retain Credit Cards
Make it a hard and fast rule that your business never retains customer credit cards. Even if a client wants to make monthly payments, or simply delay a transfer overnight, your employees should never store their credit card information on site. Instead, sign up with a merchant services provider that already has the PCI compliance standards in place to properly obtain, store, use, and dispose of your customers’ confidential information.
3. Restrict Who Processes Credit Cards at Work
It may be tempting to train every employee to receive credit cards and enter them into your system. But doing so increases the chances that something will go wrong. Identify a small number of highly trusted employees to receive and process credit card payments. Give each of them their own dedicated log-in to the system. That way if something does go wrong you will be able to get to the bottom of it more quickly.
4. Keep Physical Personal Records Secure
Your employees aren’t the only ones who use your space. Janitorial crews, contractors, and even customers can sometimes gain physical access to the filing cabinets and hard-copy files. If your office has not gone paperless, make sure you keep personal information in a secure location, and restrict access to those files.
5. Cyber Security Starts At the Keyboard
Much of PCI compliance happens behind the scenes on your merchant services terminal or website. But if an unauthorized user gains access to the physical terminal, all your careful cyber security will be useless. Use automatic password-protected screen savers, and log out of financial processing programs whenever they are not in use. Require each employee create accounts using strong passwords to further protect against unauthorized use.
PCI Compliance isn’t just an IT project. It requires strong security policies that apply to customers at the front door, on the phone, and in the cloud. Do your part by creating and enforcing strong policies to protect your customers’ confidential information. It will make filling out your annual PCI compliance questionnaire a breeze, and will protect your company from being compromised.
Provisio Technology Solutions is a web development company that provides PCI compliant websites to small business owners receiving payments online. If you have questions about securing customer information, contact Provisio today to schedule a meeting.