In last week’s article for Cybersecurity Awareness Month we discussed how PCI “checkbox compliance” doesn’t necessarily mean your business is secure. Most small businesses, including Ace stores, fall under the “Tier 4” classification from Visa, Mastercard, Discover, and American Express — allowing them to self-certify their PCI compliance. Unfortunately, many only discover they’re not truly compliant after a breach occurs.

PCI compliance requires two foundational documents:

• Information Security Policy
• Incident Response Plan

Your team must not only have these documents in place — they must understand and follow them. Here’s what each entails and why they matter.

Information Security Policy

Your Information Security Policy defines how your organization protects customer, employee, and business data, as well as the systems that store and access it. While PCI focuses on safeguarding credit card data, every state also has laws protecting personally identifiable information (PII) — such as Social Security numbers, financial account details, and contact information.

Your policy should include clear standards for:

• Passwords and access controls
• Anti-phishing protocols
• Anti-virus and endpoint protection
• Physical security of computers and network devices
• Remote access rules
• Cybersecurity awareness training

Incident Response Plan

An Incident Response Plan (IRP) outlines how your organization will respond to a cybersecurity incident—before it happens. The middle of a crisis is the worst time to decide who does what. Whether you’re facing a minor malware infection or a full-scale ransomware attack, your IRP provides a roadmap for minimizing damage and restoring operations quickly.

Depending on the nature of the incident, you may activate one or more parts of your Incident Response Plan. The major elements of the plan are depicted in this diagram:

When a cyber incident occurs, every minute counts. Systems may be offline, staff under pressure, and customers frustrated. Your IRP ensures that key steps are taken in the right order—containment, communication, investigation, and recovery—so your business can get back on its feet as fast as possible.

You can find additional guidance for developing your Information Security Policy and Incident Response Plan on AceNet > Ace Way of Retailing

Culture and Accountability

You already have strict procedures for handling cash shortages, internal theft, and shoplifting — because those losses hurt your bottom line. A cyber incident can cost ten to fifty times more than traditional loss events. Building a culture of cybersecurity awareness is just as important.

Empower staff to report suspicious activity, model good cyber hygiene from leadership, and ensure consistent accountability. Cybersecurity isn’t just an IT issue — it’s a business survival issue.