How to Make PCI Compliance Part of Your Business Plan

March 28, 2017 • Published Categories PCI 101Tags , ,
How to Make PCI Compliance Part of Your Business Plan

Guest post by Beth Kotz, Credit.com

If you own or manage a business, you understand the vital importance of a coherent business plan. Your business plan represents the essential blueprint from which your company is built and directed, and in order to be effective, it should encompass every aspect of your operations. This includes data security, which has become particularly important in today’s digitally-driven economy.

The Payment Card Industry Data Security Standard (PCI DSS) is only a part of that puzzle, but it’s one with which any modern business must comply. If your business plan doesn’t incorporate PCI compliance, you’re putting your business and its customers at risk. Consider the tips below to help safeguard your data and ensure that your business is ready to compete in the modern marketplace.

Audit Your Data

In order to secure your business’s data properly, you first need to understand exactly what data you’re receiving and how it is being used. For this reason, your data security procedures should include routinely updating your data inventory. Identify and classify the different types of data your business handles, how that data is being processed and stored, and who has access to it. Next, review the security measures currently in place to protect that data and decide whether changes need to be made. While this can all be done in-house, you may also wish to consult with an independent data security expert to identify potential vulnerabilities or risks.

Create a Media Classification

You should already have classification and privacy policies in place but if you don’t, now is the time to create and implement one. A privacy policy serves to lay out precisely what data may be collected from customers, how it may be used and how it will be protected, and it’s an essential part of your data security plan. A media classification policy determines what sort of data is to be handled in a specific way. It’s also essential to communicate these policies to your employees so that everyone understands your business’s legal obligations and expectations for how data is to be handled. If you already have these policies in place, it’s a good idea to review them on occasion and provide refresher training for employees.

Implement Layered Security

When it comes to security, there are no guarantees. Any individual security measure is susceptible to failure, which is why it’s essential that you put multiple layers of protection in place. Using strong passwords for all devices and programs is a must but multi-factor authentication should also be considered. All sensitive data should be stored in encrypted form and physically secured, and a properly configured firewall offers a valuable first line of defense. The more barriers you can put between your business’s data and potential intruders, the better off you’ll be.

Develop an Incident Response Plan

Though there’s a great deal you can do to keep your data protected, credit card fraud and other data breaches will always present some level of risk. Should a breach or other security failure occur, you and your business must be prepared to respond quickly and appropriately to address the problem. Simplify the process by creating an incident response plan and communicating its content with your employees. This plan should seek to identify the risks your company and its data may face, and put in place specific procedures to be followed in the event that one of those risks becomes a reality.

Train Your Employees

For all the high-tech security solutions available to your business, the greatest security vulnerability is often your own employees. With that in mind, your data security plan must include proper training to help your employees stay protected and avoid falling for common tricks and scams. In particular, emphasize the importance of using a strong, secure password and offer training on how to recognize phishing emails and phone calls. It’s also useful to set up a designated email inbox to which employees can forward suspicious emails for closer inspection.

Seek Outside Assistance

Data security is a complex and ever-changing field, and you may find that you simply don’t have all the answers you need. In order to ensure PCI compliance and keep your sensitive data secured, consider reaching out to your bank or payment processor for support. Reputable banks and processors should be just as concerned with security as you are, and their expertise can be invaluable in developing a strong data security policy to protect your business and safeguard your customers’ personal and financial information.

A data breach can be exceptionally damaging for small businesses. If you aren’t PCI compliant, it can even put your entire business in peril. Small businesses have become increasingly popular targets for fraud and other digital threats in recent years, which is why your core business plan must account for data security and PCI compliance. Implement the steps laid out above and your business will be more secure and better prepared to face the many threats posed by today’s data-filled world.


Beth Kotz is a contributing writer to Credit.com. She specializes in covering financial advice for female entrepreneurs, college students and recent graduates. She earned a BA in Communications and Media from DePaul University in Chicago, Illinois, where she continues to live and work.