The Payment Card Industry Data Security Standard (PCI DSS) affects every company that stores, process, and transmits credit card information. Does that include your business?
The reality is, even if you only process a few cards each year, and don’t store the data, you are not exempt. And, this is not a one-and-done process… Just because you set up compliance doesn’t mean you can rest easy as time passes without a breach of data. (It’s easy to become complacent.)
So first, what does compliance entail?
Who is covered by PCI DSS?
PCI compliance covers information taken from any debit, credit, or pre-paid card issued by American Express, Discover, JCB, MasterCard or Visa International. Even a few transactions a year are cause for concern if the recommended programs, processes, and standards are not in place.
What is the cost of noncompliance? If card companies find an instance of noncompliance, they can fine a bank $5,000 to $100,000 a month—and, make no mistake, the bank will happily pass that penalty along to you.
If you have a data breach, you may also need to pay for a forensics investigation to uncover the causes. Even worse, a breach causes customers to lose trust in your company. And your own proprietary data becomes vulnerable to the same data thief.
What does compliance entail?
The PCI Security Standards Council has developed a list of best practices that include:
- Storing only the most essential cardholder data and finding alternatives to storage whenever possible.
- Developing measurable metrics, such as the percentage of the organization’s staff that have received security training and the percentage of web servers set up to PCI system configuration standards.
- Assigning a Compliance Manager who is responsible for compliance, preferably has industry certifications, and keeps abreast of changes in PCI DSS.
To ensure compliance, you need a system that is integrated to avert attacks on account data, passwords, cryptographic data, ATM security; prevents unauthorized access; and maintains security when new hardware and software is integrated into the system. Here’s the most recent update to best practices.
How can compliance be maintained?
Maintenance of compliance requires understanding the relationship between the encrypting pin pad (EPP) and the ATM or secure card reader (SCR) and the ability to limit opportunities for data breaches during maintenance or upgrades, the addition or removal of a SCR, or any other change in the equipment, software, or environment. (Head spinning yet?)
A monitoring system should be set up, with regular reviews by the Compliance Manager, at least once a year.
Among other software considerations, PCI recommends that the operating system should:
- Enforce strict application separation.
- Prevent the addition of rogue software—that includes software that staff might accidentally transfer or access from their mobile or other remote devices.
- Log all relevant events.
We help our clients set up these exact systems. We keep up with PCI DSS changes (so you don’t have to), and have both the necessary tools and the experience to maintain compliance as well as anticipate where breaches may occur, before noncompliance becomes an expensive issue.
If your company accepts credit, debit, pre-paid card transactions of any type, you need to put PCI DSS compliance strategies into place and maintain them rigorously. Future Link IT can help with your initial compliance audit, implementation, planning and strategy. Let’s chat today to get you started.