A small-business owner read tech-media reports (including this TechRepublic article) about cybercriminals preferring to victimize small businesses, and she wanted to find out if her business was as secure as she thought. Her cousin, who is also a small-business owner, told her about a security-evaluation tool recently released by the PCI Security Standards Council (PCI SSC).

SEE: SMB security pack: Policies to protect your business (Tech Pro Research)

What is the PCI SSC, and how can it help small businesses improve security?

The PCI SSC is a worldwide forum of companies that came together and developed security standards for payment-account security. It has a vested interest in this topic, as most customer transactions now involve credit/debit card information. It is also why the PCI Data Security Standards (PCI DSS) exist. “PCI DSS is a compliance regulation which applies to all entities that store, process, and/or transmit cardholder data,” according to the PCI SSC website. “If you accept or process payment cards, PCI DSS applies to you.”

The standard revolves around the following processes:

  • Assess: Identifying cardholder data, taking an inventory of IT assets and business processes for payment-card processing, and analyzing them for vulnerabilities.
  • Remediate: Fixing vulnerabilities and eliminating the storage of cardholder data unless absolutely necessary.
  • Report: Compiling and submitting required reports to the appropriate acquiring bank and card brands.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Data Security Essentials evaluation tool

Small-business owners need not worry how to accomplish the above. The PCI SSC’s Data Security Essentials evaluation tool incorporates the three processes, providing merchants insight about security practices that are relevant to how their businesses accept payments.

“This new evaluation tool provides small businesses with awareness of the most common, critical risks for their environments and the proper resources to address potential threats,” PCI SSC Chief Technology Officer Troy Leach explains to Michael Guta in this Small Business Trends article. “Additionally, PCI SSC’s Data Security Essentials resources provide the right questions to ask payment partners when having a dialogue with them about payment security. That conversation can only improve a small-business owner’s understanding of proper payment security.”

Data Security Essentials resources

The Data Security Essentials resources mentioned by PCI SSC’s Leach are educational materials developed specifically for small businesses on how to protect their customers’ sensitive financial information. According to Guta, “The educational material was developed by the PCI Small Merchant Taskforce,” mentions the resource website. Guta notes, “The task force is a global, cross-industry consortium launched by the Council in 2015. And, it has developed the educational resources to help small businesses protect payment-card data from being compromised.”

Check out the resources list; these are some of the more important resources, as described by PCI SSC.

  • Guide to safe payments (PDF): Simple guidance for understanding the risk to small businesses, security basics to protect against payment-data theft, and where to go for help.
  • Common payment systems (PDF): Visuals to help identify the type of payment systems being used by small businesses, the kinds of risks associated with each system, and actions that can be taken to increase security.
  • Questions to ask your vendors (PDF): A list of vendors small businesses typically use and the questions small-business owners should ask to ensure customer data is protected.
  • Glossary of payment and information security terms (PDF): Easy-to-understand explanations of technical terms used in payment security.
  • PCI Firewall Basics (PDF): A one-page infographic on firewall-configuration basics.


The PCI SCC resource website also recommends the following training programs for small-business owners and their employees.

  • PCI Awareness training: Learn about the 12 PCI requirements that will improve the company’s security posture and reduce risk to cardholder data.
  • PCI Professional (PCIP) training: An e-learning course for those with at least two years of IT experience. This course offers tools to help build a secure payment environment and help organizations achieve PCI compliance. Earn a three-year renewable credential and get listed on the PCI website.

Not a bad place to start

The PCI SSC founding members are the who’s-who of the payment-card industry, and their goal is to help merchants and financial institutions understand and implement standards for protecting their payment systems from breaches and theft of cardholder data.

It sounds like the shop owner’s cousin gave her good advice. The price is right, too.