PCI Compliance: What You Need to Know to Protect Your BusinessIn a world that revolves around technology and the internet, with businesses moving online and accepting credit cards as payment both in store and online; it is crucial, now more than ever before that credit card information is protected. Most people work hard to protect their personal information from falling into the wrong hands, but what happens when they input their information into a website without a second thought believing the company has the necessary precautions in place to protect and safeguard their information? We’ve all done this before, making online purchases from large, reputable websites and a few lesser known sites as well. So, how do you know your information is going to be protected? Any business that accepts credit cards as a form of payment, whether in store or online via a shopping cart must be in compliance with PCI DSS Standards. As a result, being able to safely store and process credit card information is vital to ensuring a business remains profitable and in good standing with not only credit card companies but with their customers as well. Because credit cards have become the payment method of choice for many consumers, it has fallen on businesses to protect their customers information, which is why security standards were developed in the early 2000s.
The Birth of the Payment Card Industry Data Security StandardWhen the internet really started to take off, evolving into a necessary aspect of everyday life, more and more businesses started to realize the possibilities afforded them through the internet. Therefore, they began making the move to conduct their business online. As a result, it became readily apparent to credit card companies, that security breaches were increasingly common through transactions made online. The PCI DSS Security Standards came about as a result of increased theft of personal banking and credit card information obtained from unsecure payment systems. With the freedom to conduct and grow your business online, reaching a broader customer base, means that there are additional risk that both the business and consumers are exposed to. Malicious malware and hackers are continually changing and adapting—finding new ways to get around the strictest security features in place to obtain and steal vital information. Whether you are a start up business or a large, well established corporation, protecting your customers information is imperative—especially when it comes to their method of payment. The idea behind PCI DSS, was to protect businesses from costly consumer and bank data breaches as a result of processing credit cards online or in store. While the regulations may seem a bit daunting and overwhelming for business owners, knowing, understanding and being in compliance is the best way to protect your customers’ personal or financial information and your business from fines and penalties. In the early 2000s, five major credit card companies—Visa, Mastercard, Discover, Japanese Credit Bureau (JCB) and American Express all came together to establish the Payment Card Industry Data Security Standard (PCI DSS). These standards were created to protect merchants from costly data breaches and fines. These standards were intended to be comprehensive, to ensure the highest level of protection was in place. Shortly after the creation of the PCI DSS, the Payment Card Industry Security Standards Council (PCI SCC) was established as an independent, additional group that would be responsible for overseeing and adapting security standards going forward. Since its creation in 2008, the PCI SCC continues to regularly update the standards outlined in the PCI DSS to reflect the current best practices to protect both merchants and consumers. This includes the implementation of standards for wireless networks and to mandate additional security measures to reflect the latest technology trends and payment methods. In recent years, the PCI SCC has extended the amount of time merchants have to become compliant with new regulations. Merchants have now have up to one-year to become compliant. This allows merchants time to not only learn and understand the new requirements, but to be able to implement the updates and enact policies to support the new regulations in their businesses.
What Does it Mean to Be PCI Compliant?
At this point, you are probably wondering what does it mean to be PCI compliant? PCI DSS are the security standards that have been established by the credit card industry powerhouses—Visa, MasterCard, American Express, Discover and JBS. PCS DSS was intended to ensure all merchants safely and securely accept, store, process and transmit credit card information they gather with every credit card transaction. As a self-mandated system, every merchant who accepts payment via credit card, either online or at a physical location is responsible for compliance to protect against data breeches. The standards, as established dictate that each business establish data security policies for their organization and implement employee training to protect credit card data. Every credit card contains sensitive information, such as the card holders name, account number, expiration date, Chip, Magnetic Strip and CAV2/CID/CCV2/CVV2 that must be protected. Additionally, businesses should not retain any of this information, to mitigate the risk of a data breech. If it is necessary to retain any of the sensitive information from a credit card, your business may be required to produce valid reasons for keeping specific information, along with being able to demonstrate that the necessary security measures are in place to protect the stored information. How a business stores, disposes of and protects sensitive credit card information is determined by the PCI DSS. The requirements for becoming compliant and maintaining compliance are based on a few facts about your business, including size and volume of transactions you process in a given year. As part of the requirements to become compliant, each business must complete either a yearly self-assessment questionnaire (SAQ) and/or sufficiently pass a quarterly PCI security scan. The SAQ is a series of questions intended to determine a business’s compliance with PCI security levels. This information can also help to find and select a credit card processor that guarantees PCI compliant credit card processing solutions, providing you with peace of mind knowing all credit card transactions your business takes are going to be done in the safest manner possible.
Why You Need to Be CompliantAside from providing a safe and secure platform for consumers to confidently make a purchase, there are a few other reasons why it is imperative to become and maintain compliance with PCI DSS. Here are a few additional reasons that might potentially motivate you to ensure you maintain compliance:
- Provide Security to Prevent Data Breaches
One of the first, and arguably, most important rules of business is to protect not only your businesses information but that of your customers as well. In most cases, you’ll have policies in place that dictate when and how to inspect your physical security. But, what about the digital information that your business collects and retains? Malware and malicious threats are continually evolving and are one step ahead of the latest security measures which is why it is necessary that you take the required precautions to protect your computers, networks, servers and other electronic means of collecting payments.
- Increase Consumer Confidence in Your Business
Companies who have taken the necessary precautions to ensure their compliance with PCI are able to provide their customers with increased confidence knowing their information will be kept safe. If consumers lack confidence in your business they are less likely to conduct business with you. This can ultimately have an effect on your bottom line. Studies have found after a company has suffered a data breach that a vast majority of U.S. adults avoid doing business with that company. Obtaining and maintaining PCI compliance proves to consumers that you take security seriously and you are willing to take the necessary steps to protect their confidential payment information.
- Protects Business from Fines and Lawsuits
In the event that you do face the repercussions of a data breach, you could potentially also have to face fines and lawsuits from customers and other organizations. Lawsuits may be filed against your company by individuals whose information was compromised or even third-party lawsuits. Additionally, you could accrue fines from the government, credit card companies or others. If you take the necessary precautions to be compliant with the standards established as outlined by the PCI DSS, you can reduce the impact of a data breach by diminished fines, lawsuits and liability that may be imposed upon your company by your credit card processor, acquiring bank or government agencies.
When companies work to become PCI compliant, they are proving to their customers they take security very seriously. They are preemptive in taking the necessary steps to ensure all data they obtain is kept confidential. PCI compliance also provides both companies and consumers with peace of mind knowing their information is secure.
Requirements for PCI DSS ComplianceAccording to federal law, PCI DSS compliance is not required by the Federal Government, in the United States. While it might not be a federal requirement, some states, such as Nevada, have enacted laws specifically addressing PCI compliance, requiring businesses to be in compliance at all times. Even though it is not necessarily a law, major credit card schemes require businesses to achieve and maintain PCI DSS compliance once they have reached a certain size and conduct a specified volume of business. The way PCI DSS compliance is set up, is on a sliding scale, as your business operations grow so do the requirements for compliance. This allows for businesses to be able to adjust and implement the necessary security measures as their business grows. To be considered PCI compliant, there are two main objectives to complete:
- A Comprehensive Compliant Scan to check for weak spots or vulnerability
- Complete a Self-Assessment Questionnaire (SAQ)
Additionally, there are four main areas that further define the requirements to become PCI compliant and to help establish policies to train employees:
- Establish a Secure Network
Businesses that have taken advantage of the internet, or those whose systems store payment information on a computer network system are responsible for ensuring their systems are secure. This means they need to have the necessary protections in place to protect their systems from hackers and data breaches of their network. This includes having an active firewall system in place that works to protect the system from both internal and external unauthorized access to sensitive information.
- Securing Network Against Threats
Sensitive information should be limited to only those who have a valid need for accessing the information. This means data should be protected when it is being transmitted or stored to prevent unauthorized personal from gaining access. One of the most common ways to achieve this is to encrypt data when it is being transmitted. Once there is no longer a need for sensitive information, data should be securely disposed of and rendered unreadable to prevent it from falling into the wrong hands.
- Manage Network
One of the easiest and most important ways to ensure data is protected and to reduce the risk of exposure to a hack, is to ensure all systems and hardware are kept up to date. This is especially important when it comes to your systems anti-virus software. Establish protocols that dictate regular virus and PCI complaint scans that can detect any areas of vulnerability or infiltrations to the system early on.
- Control Access to Sensitive Data
Limiting access to information, along with knowing who has access and when information is accessed is vital to providing a secure platform for payments. PCI compliance states sensitive information should be securely stored under lock and key as long as it is needed, as soon as information is no longer needed, it must be destroyed completely. For information that is stored on a computer, each user must have a unique access credentials that have to be entered before information can be retrieved. This is required to minimize the chances of unauthorized personal gaining access to secure information.
Additionally, businesses should continually monitor and test their systems on a regular basis to check for breaches or vulnerability. This can be done in-house, or out sourced to a third-party auditor.
Aside from protecting the sensitive information contained within a credit card, companies must also keep all personal information about the card holder private. This includes their name, birth date, Social Security number, phone number and address.
Who is Responsible for PCI Compliance?Are you solely responsible for protecting your customers sensitive information, or is your processors partly responsible too? This is a complex question that doesn’t have a cut and dry answer. As has been previously established, there are different aspects that go into PCI compliance, all working together to protect sensitive information. Because there are so many parts, it is important to know who is responsible for what to ensure compliance is being met. A common misconception many businesses have, is that the responsibility falls on the shoulders of the IT person. When in reality, every employee within an organization has a responsibility to protect sensitive payment information of their customers. In most companies there is an individual who is tasked with ensuring that compliance is met. Although, it is important to note that every employee can compromise the organizations compliance if they are not careful and conscious of everything they are doing. Policies and procedures are established and put in place to protect information, when employees fail to follow the procedure is when information and compliance is usually lost. The fact is, that just because a business is PCI compliant does not mean they are protected from data breaches. In fact, breaches do happen to companies of all sizes, compliant and non-compliant. The advantage of being compliant is that businesses will have response plans in place and are prepared to act when the unfortunate does happen. Additionally, because they are PCI compliant they are protected against fines and lawsuits.
Consequences of Non-Compliance
When an organization is not compliant with the PCI DSS standards and a security breach occurs, the merchant may be subject to substantial fines which are the most common repercussion. Depending on the severity of the breach, some fines imposed on merchants can be anywhere from $5,000 to $10,000 every month until all compliance issues are resolved and the breach has been adequately handled. Businesses who neglect to resolve their security issues, may have their privilege of accepting credit cards as payment revoked by the credit card companies and your credit card processor. It is important to remember when a business credit card system is hacked, the hacker now has access to innumerable credit cards. As a result, they can steal millions or billions of dollars from a culmination of various individuals! So, aside from fines and penalties what other consequences can businesses face when sensitive information is hacked? Here are seven consequences businesses may face as a result of either non-compliance with PCI DSS or an unknowing error on the part of the business.
After a security breach, customers are going to be leery about doing business with you in the future. Additionally, bad news is going to spread far and wide which means you are going to need to offer some sort of compensation to earn back their trust. Generally, this comes in the form of offering free credit monitoring for those who are affected. While it will be free for your customers to take advantage of, it is going to cost you substantially.
It is not all that uncommon for individuals who have their private credit card information stolen to file a lawsuit against the company. Nowadays, lawsuits are more and more common, more complicated and ultimately costlier. Be prepared if your system gets hacked to fork out vast amounts of money in legal fees.
- Bank Fines
When a credit card is used fraudulently to make unauthorized purchases, the issuing bank will reimburse the individuals money, meaning you are not responsible for the reimbursement. Unfortunately, as a result, banks will then pass on the cost of reimbursement to you in the form of steep fines which you will be required to pay back. Depending on the severity of the breach and the amount of information lost, fines can easily exceed thousands of dollars.
- Federal Audits
Large corporations who experience a data breach, can attract the attention of the Federal Trade Commission (FTC). The FTC is tasked with monitoring organizations who are found to be non-compliant with the standards established by the PCI DSS and can have a major impact on a vast number of people. As a result, the FTC may elect to conduct regular audits for the foreseeable future. Additionally, they may elect to fine corporations themselves. Along with federal audits come extremely strict requirements for compliance to security standards.
- Internal Security Costs
Following a security breach, there are going to be substantial internal cost to investigate the cause of the breach, ways to improve your security to prevent future breaches along with reviewing personal and making necessary employment decisions regarding hiring or firing of responsible employees. You’ll be required to take the necessary steps to ensure your internal information security is top-notch and a breach won’t happen again.
- Lost Revenue
Anytime there is a security breach, news will spread fast! As a result of the negative publicity, consumers will be leery about conducting business with you in the future. This can have severe negative impacts on your bottom line and business revenue as most consumers will take their business elsewhere. The impact of lost revenue from a data breach can be quite costly.
- Damaged Reputation
Another major consequence that comes from a security hack is the fact that your reputation is now tainted. Any time consumers hear your company name, chances are they will experience negative thoughts and question their decision to conduct business with your or not. While it is nearly impossible to completely reverse the effects of a tainted reputation, countless hours of Public Relations and reputation management can work to mitigate the consequences.