PCI Compliance: What You Need to Know
Posted by Megan Webb-Morgan on May 28, 2013 in Credit Card Processing, Retail [ 0 Comments ]
If your business accepts credit cards of any type, then you are automatically responsible for complying with the Payment Card Industry Data Security Standard (PCI DSS). This standard was developed by the five major credit card brands in order to create and maintain a consistent information security standard for all credit card processors The ultimate goals is to prevent credit card fraud that occurs when cardholder data is left unsecured.
If your business isn’t PCI compliant, not only are you at risk of incurring fines and penalties from your merchant account provider – you’re also more likely to become a victim of credit card fraud.
What It Means for Your Business
The PCI standard covers the policies, procedures, network and software design, and security management of anyone and everyone who accepts, transmits, or stores credit card data.
The procedures regarding compliance differ depending on what level your business is considered to be. If you run a small business, you are responsible for maintaining your compliance on your POS and on your website. Penalties for non-compliance are handed down from your credit card processing company, to your bank, to you. If credit card fraud occurs as a result of your non-compliance, it can result in thousands of dollars in fines, loss of your banking relationship, and termination of your merchant banking account. To prove compliance, small businesses must:
- Complete a self-assessment questionnaire.
- Pass a vulnerability scan with a PCI DSS-approved vendor (if applicable to your business level).
- Complete an attestation of compliance form.
- Submit all of the above to your acquirer, aka the credit card company that manages your merchant account.
How to Maintain Compliance
The objectives of the PCI DSS are to:
- Build and maintain a secure network.
- Protect cardholder data.
- Maintain a vulnerability management program.
- Implement strong access control measures.
- Regularly monitor and test networks.
- Maintain an information security policy.
Your business needs to control who and what has access to cardholder data. As you can see, while maintaining a secure internet connection and utilizing PCI-compliant POS software is important, it is only one part of the process of maintaining compliance. Physical and procedural controls are also necessary.
After all, you can have the most secure internet connection in the world, but that won’t protect your customers’ credit card data if the door to your server room is unlocked.
- Many of your employees may have access to your POS software. Be sure that you can assign different levels of access to your software users, so that administrators can access sensitive data when necessary but regular users cannot. Your software should log who has accessed what data and when.
- Establish proper procedures and best practices for keeping your customer information secure. Frequent firewall checks, anti-virus updates, and system tests help you maintain the highest levels of security. Bring in an external auditor to test for compliance if needed.
Maintaining PCI compliance takes effort. Keeping cardholder data secure is your responsibility both as a merchant and as a good neighbor. The damage to your business should fraud occur is far greater than the cost of compliance, so make sure that your business and your customers are protected.