Top 5 Security and PCI Compliance Practices for Small Merchants

Posted by Jayme Moss on Jan 20, 2015 8:30:00 AM

PCI_ComplianceJanuary 1, 2015 marked the official date that PCI DSS 3.0 became mandatory for merchants. There have been numerous articles speculating how this will impact merchants' success at passing compliance with their PCI Qualified Security Assessors (QSA). The new security standards were designed to eliminate the increasing prevalence of large scale breaches, but have caused some confusion and concern in smaller merchants, who struggle balancing costs vs. risks.

In a sneak preview of its 2015 PCI Compliance Report, the managed IT services giant, Verizon, hinted at two key problem areas that cause merchants to fall out of PCI DSS compliance: Struggling to maintain PCI Compliance year round, and firewalls.

Continuous Compliance
The 2015 Verizon PCI Report won't be revealed until next month, but its early look at the 2015 data indicates most merchants struggle to maintain year-round PCI compliance. The company said fewer than one-third of organizations have remained fully PCI compliant less than a year after being validated.
That's in stark contrast to the "continuous compliance" mantra advocated by the PCI Security Standards Council. According to experts, one of the primary objectives of PCI DSS version 3.0 is to require companies to maintain adequate security controls to protect payment card data at all times, not merely to pass an annual assessment.
Firewall Maintenance
Verizon continues that improper firewall maintenance is another leading causes of PCI DSS compliance failures. According to Verizon, two top areas where organizations fail to meet PCI compliance requirements involve Requirement 11, which is related to the regular testing of security systems and processes, and Requirement 1, which encompasses the maintaining of firewalls. Verizon has seen that firewall rule reviews are not being conducted adequately, or not being conducted at least every six months, as required by the PCI DSS.

Smaller Merchants Best Practices

Verizon's annual PCI report will include findings based on data from Fortune 500 and large multinational firms in more than 30 countries. But what about smaller merchants? PCI DSS 3.0 and the scrutiny of QSA's are still a real concern despite their size.

It is a good time to review your basic security practices. Solupay partners with Control Scan to offer easy and affordable PCI Compliance to smaller merchants. We invite you to download their whitepaper: The Top 5 Security Best Practices for Small Merchants. As always, if you have any questions or concerns about PCI DSS 3.0, contact the experts at Solupay.

Download the Whitepaper "5 Best Security Practices for Smaller Merchants"

Topics: PCI