Is PCI Compliance Necessary for Your Business?
Did you know that you are forbidden from writing down or printing out a full credit card number on a piece of paper? Did you also know that if your businesses phone system records calls, you and your customers are not allowed to verbally provide a full credit card number while on a telephone call?
These are just a couple of the requirements placed upon businesses by the credit card industry to eliminate stolen data, and it’s called “PCI Compliance”.
PCI (Payment Card Industry) Compliance was introduced in December 2004 by the Card Associations (Visa, MasterCard, Discover, American Express) as a response to increased fraud and security breaches involving credit cards.
Card companies banded together to create a comprehensive set of security standards for all businesses that accept electronic forms of payment. The idea behind creating these standards was to lay out a detailed plan for each business, based on how they accept transactions and handle sensitive data, that would nearly eliminate the possibility of a cyber attack, fraud, or breach of security when implemented properly.
Because new potential threats develop over time, the standards are regularly updated and are now maintained by an organization called the PCI Security Standards Council. Hadfield Group is proud to be a Participating Organization with the Council, implementing and promoting the 12 major data security standards (known as the PCI DSS) for ourselves and our clients. They are;
A firewall configuration must be installed and maintained
System passwords must be original (not vendor-supplied)
Stored cardholder data must be protected
Transmissions of cardholder data across public networks must be encrypted
Anti-virus software must be used and regularly updated
Secure systems and applications must be developed and maintained
Cardholder data access must be restricted to a business need-to-know basis
Every person with computer access must be assigned a unique ID
Physical access to cardholder data must be restricted
Access to cardholder data and network resources must be tracked and monitored
Security systems and processes must be regularly tested
A policy dealing with information security must be maintained
Some of the confusion around PCI Compliance is in regards to who must be compliant; the payments processor and transaction technology provider, or the business that accepts the payments? The answer is; both.
Because PCI Compliance is not required by federal law in the United States, it is not regularly promoted by payments related organizations.
However, reviewing several important stats should make payments companies and businesses alike take compliance more seriously.
43 percent of all cyber attacks target small businesses.
Businesses that are victims of attacks spent an average of $879,582 because of damage or theft of IT assets.
60 percent of those companies go out of business within six months of an attack happening.
What Could Happen if Your Business Avoids Compliance?
a) Financial Losses
Non-PCI compliant merchants and payment processors can face fines from credit card companies between $5,000 to $500,000, depending on a variety of factors.
Additional costs include:
Notification, card re-issuance, and credit monitoring costs for affected parties
Forensic investigation and remediation costs
b) You May Lose The Ability To Accept Credit Cards
Perhaps even more harmful than fines, credit card companies may also revoke the right of a business to process credit card transactions, placing that business on the MATCH list, and nearly eliminating their ability to be approved to accept payments in the future.
c) You May Lose Clients
Damage to your reputation, lost business and reduced consumer confidence are just some of the after-effects of a data breach. Reports show that 69% of consumers would be less inclined to conduct business with a breached business.
How Is PCI Compliance Validated?
The PCI DSS includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures intended to proactively protect customer account data. Each card scheme has its own programs that help merchants attain compliance with the PCI DSS.
There are two main components of validation:
Completing the Self-Assessment Questionnaire (SAQ)
Undergoing quarterly Vulnerability Scans performed by an Approved Scanning Vendor
Using Our Partner PCI Validation Service
To help your business meet your PCI DSS compliance requirements and to facilitate the validation process, Hadfield Group has teamed up with SecurityMetrics, Sysnet, and Aperia, accredited Qualified Security Assessors (QSA) and Approved Scanning Vendors (ASV). Their vulnerability assessment and compliance management solution provides the following benefits:
Scanning engine that tests for more than 3,000 vulnerabilities
Online Self-Assessment Questionnaire
Detailed compliance status reporting
Remediation services to address security vulnerabilities and achieve compliance more quickly
Comprehensive online support resources
Multi-lingual help desk support
As cyber criminals continue to target small businesses, business owners and employees need to know how to protect both their customers and themselves. PCI Compliance should be successfully completed annually by every business involved in accepting electronic forms of payments. Make sure to write down your annual renewal date, but to be safe, just not any full credit card numbers.