When asked what their preferred method of payment is, 80% of consumers say either debit or credit card.
Payment cards dominate if you take any type of customer payment for a product or service, which is why a great deal of companies in San Diego and beyond accept them and include some type of merchant processing technology in their IT management plan.
But while lot of small, medium, and large businesses accept credit and debit card payments, not many understand the data privacy rules that companies accepting payment cards are required to comply with.
In 2018, just 52.5% of organizations globally were compliant with PCI DSS.
Anyone accepting payment cards is required to comply with PCI DSS (Payment Card Industry Data Security Standard). This is a standard created by the major payment card issuers, including:
- American Express
The PCI standard dictates the expected security standards for safeguarding cardholder data while it’s being captured, stored, and transmitted. And while many small businesses rely on their merchant processors to be compliant, they are ultimately responsible for any cardholder data being handled on behalf of their organization.
What are the Penalties if You’re Not in Compliance with PCI?
Non-compliance typically is found out once a data breach has occurred or a business is reported for mishandling customer payment card data.
A non-compliance penalty can result in something like not keeping your payment card software updated with security patches or writing down customer credit card numbers and not properly shredding them after use.
Each payment card brand can differ in how they apply non-compliance penalties. For acquiring banks that handle the transactions, a violation can cost between $5,000 to $100,000 per month. And banks are likely to pass this fine down to the merchant responsible for the violation.
For a company that’s had several violations, it can mean the loss of the ability to process credit and debit cards.
Here’s What You Need to Know About Complying with PCI
The PCI Security Standards Council, the governing body for PCI DSS, lays out 12 comprehensive requirements to follow that are grouped according to 6 main data security goals. Anyone that accepts or processes payment cards is required to follow these.
Goal: Build and Maintain a Secure Network
The target of the first goal is the framework of your computer network. The two requirements under this goal include:
- Install and Maintain a Firewall to Protect Cardholder Data: Having a firewall is a security best practice, whether you take payment cards or not. A firewall monitors all incoming and outgoing network traffic, looking for any suspicious activity, flagged traffic, or other security threats.
- Don’t Use Vendor-Supplied Default Passwords or Security Parameters: This next guideline refers to your endpoint security and can be for payment terminals or other IoT devices used in conjunction with payment processing. You need to change any security or password defaults when you set up the devices to prevent hacks.
Goal: Protect Cardholder Data
These next two requirements are about digitally protecting the payment cardholder’s information, which can be their card number, address, phone, etc.
- Protect Stored Cardholder Data: Data that’s stored either in the cloud or on a local hard drive, needs to be protected from unauthorized access.
- Encrypt Transmission Across Open, Public Networks: If you’re processing a credit card and you’re on a public Wi-Fi, you need to ensure you’re using proper encryption software to protect cardholder data from being intercepted by a hacker.
Goal: Maintain a Vulnerability Management Program
These requirements are also tied into good cybersecurity hygiene, including taking precautions to prevent data breaches of your network.
- Use & Regularly Update Antivirus Programs: You should be using an antivirus program on any devices that handle cardholder information and keeping it updated.
- Develop & Maintain Secure Systems: This is about good cybersecurity practices, such as patch management and enabling security controls in the systems you use.
Goal: Implement Strong Access Control Measures
Who can access, and how they access cardholder data is the subject of these next three guidelines.
- Restrict Access on a Business Need-to-Know: You should restrict who can access cardholder data based upon who absolutely needs to as part of their daily workflow.
- Assign a Unique ID to Each Computer User: You should have a tracking mechanism for who is logging into your network and cardholder data by means if giving each user a unique ID.
- Restrict Physical Access to Cardholder Data: Computers and other payment devices should have screen locks and physical access to them or any paper files containing cardholder information should be restricted.
Goal: Regularly Monitor & Test Networks
Ongoing monitoring of your networks is essential to good cybersecurity, which is an ongoing process, not just something you can set up and forget about.
- Track & Monitor All Access to Network & Cardholder Data: You should have regular monitoring set up for your network and especially areas where cardholder data is kept. Managed IT service plans are a strategic way to do this.
- Regularly Test Security Systems & Processes: Threats to data security are evolving all the time which necessitates regularly testing and evaluating your security systems.
Goal: Maintain an Information Security Policy
This last requirement relates to documenting your security policy so you can better train employees and contractors on secure handling of cardholder data.
- Maintain a Policy that Addresses Information Security for Employees & Contractors: Proper training and documentation of your data security policies helps reduce the chance for employee or contractor error resulting in a data breach or compliance violation.
Get Help with PCI Compliance & Data Security
A data breach doesn’t only result in potential compliance penalties through PCI, it can also lead to loss of customer trust. Excedeo offers free risk assessments to let you know where you stand and how to ensure your network and data are secure.