Payment Card Industry (PCI) Compliance
It has become commonplace for consumers to purchase goods and services with debit or credit cards rather than case. However, this convenience may expose both consumers and your business to potential risks. To help protect both your company and your customers, as well as remain compliant, it is critical that your company understands the payment card industry data security standards (PCI DSS).
PCI DDS Overview: What You Need to Know
The PCI DSS is a set of requirements designed to ensure that all entities that process, store or transmit payment card information maintain a secure environment. The PCI DSS establishes a minimum set of requirements for protecting cardholder data. Whether you process one credit card per year or 1 million, the PCI DSS is meant to ensure the security of your business and customers.
In addition, state and local laws may require specific protections for personal information or other data elements. Therefore, the PCI DSS does not supersede or replace local or state laws, federal regulations or other legal requirements.
Failure to comply with the PCI DSS, though, could jeopardize customer relationships following a data breach. Brand loyalty and trust can be easily lost — especially when you are responsible for protecting personal data from cyber criminals.
There are 12 high-level PCI DSS requirements:
Build & Maintain a Secure Network
1 - Install and maintain a firewall configuration to protect data.
2 - Do not use vendor-supplied details for system passwords and other security parameters.
Protect Cardholder Data
3 - Protect stored data (use encryption).
4 - Encrypt transmission of cardholder data and sensitive information across public networks.
Maintain a Vulnerability Management Program
5 - Use and regularly update anti-virus software.
6 - Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
7 - Allow access to data only on an individual, need-to-know basis.
8 - Assign a unique ID to each person with computer access.
9 - Restrict physical access to cardholder data.
Regularly Monitor & Test Networks
10 - Track and monitor all access to network resources and cardholder data.
11 - Regularly test security systems and processes.
Maintain an Information Security Policy
12 - Maintain a policy that addresses information security.
For more specific information on PCI DSS compliance, visit the PCI Security Standards website. Please be aware that this guidance is not an adequate substitute for contacting a specialist and implementing your own PCI DSS program standards. Experts recommend that you contact your acquirer, which is the entity that issued your payment processers, to clarify steps towards compliance.
Potential PCI Risks
Despite all the ways in which accepting payment cards can help your business, it is not risk free. It is important that you understand the potential risks your company could encounter, which include, but are not limited to, these five common PCI risks:
1 - Untrained Employees. Staff should understand the rules for accepting cards — untrained staff can make mistakes and cost you money.
2 - Counterfeit Cards. Generally, the magnetic strip on counterfeit payment cards will appear rough and not work when swiped at the terminal. Also, the shape and format of the numbers may appear incorrect. Not spotting fake cards can be costly.
3 - Failing to Match Signatures. Employees should check that the cardholder’s signature matches the one on the back of the card when necessary.
4 - Storing Cardholder Data. All cardholder data must be encrypted, stored and transferred securely. Neglecting to do so could ruing your business.
5 - Authorizing False Refunds. Fraudsters often try to obtain cash refunds for card transactions. Ensure that all staff know how to correctly make refunds, or risk being responsible for pricey chargebacks.
Mitigating Potential PCI Risks
Fortunately, the solutions for addressing the risks associated with accepting payment cards are simple:
Provide thorough training on properly handling payment card transactions. This could include what to do if a customer or payment card seems suspicious, and the process for accepting returns.
Review the PCI DSS requirements annually to ensure the safety of your business and customers.
Choose a payment card system password that is at least seven characters long, with upper and lowercase letters, symbols and numbers. Reset your password at least every three months.
Incorporate additional PCI services, such as Code 10, to more adequately protect your business and your customers’ data.
Charge With Confidence
As payment cards have become a necessary business standard, your company needs to be aware of the PCI DSS in order to establish a secure and efficient payment card system. To find out more about how your company can protect itself from the potential risks associated with accepting payment cards, contact us today!