As small and medium businesses begin to re-open following the pandemic, it’s important to do so securely in order to protect customer’s payment card data. Too often, data breaches happen as a result of vulnerabilities that are entirely preventable. The PCI Security Standards Council (PCI SSC) has developed a set of payment protection resources for small businesses. In this 8-part back-to-basics series, we highlight payment security basics for protecting against payment data theft. Today’s blog focuses on choosing trusted partners.
It’s critical you know who your service providers are and what security questions to ask them. Is your service provider adhering to PCI DSS requirements? For e-commerce merchants (and those of you that recently started accepting e-commerce payments in lieu of face-to-face payments), it is important that your payment service providers are PCI DSS compliant, including the service provider that manages your payment process (your “payment service provider” or PSP).
Small businesses may come into contact with a number of payment vendors or services providers. It is important for merchants to understand the type of vendor they are working with and ensure the vendor has taken appropriate steps to protect card data.
Here are some tips to keep in mind:
Know who to call: Who is your merchant bank? Who else helps you process payments? Who did you buy your payment device/software from and who installed it for you? Who are your service providers?
Keep a list: Now that you know who to call, keep company and contact names, phone numbers, website addresses, and other contact details where you can easily find them in an emergency.
Confirm the security of your service providers: Is your service provider adhering to PCI DSS requirements? For e-commerce merchants, it is important that your payment service provider is PCI DSS compliant too!
Ask questions: Once you know who your outside providers are and what they do for you, talk to them to understand how they protect card data. If a vendor or solution provider does not provide you with positive answers to applicable questions, you should strongly consider looking for another vendor or solution provider.