All businesses, small or big conducting transactions with credit card or debit cards in person, online, by phone or applications are required to be “PCI compliant”, yet they are failing in their preparations to comply with payment card industry (PCI) standards. Is compliance necessary or important, or it just merely the need to check a box and answer yes to the yearly Self-Assessment Questioner (SAQ)?
What is PCI Compliance?
It is an assessment/evaluation of your organization data security. A set of very technical security standards have been developed by the PCI to protect card information during and after financial transactions.
It is a requirement by all card brands, performed by an external organization in which they check if you are compliant at the time of the assessment but it doesn’t mean you will be compliant tomorrow, next week, next month or until the next external assessment happens.
Each vendor who accepts payment cards is responsible for maintaining continual compliance and any financial injury sustained by their customers as a result of the lack of compliance. Data breaches and hacker exploits occur very frequently because vendors are not compliant.
Why is it important? What are the consequences?
Being compliant with PCI standards means you are doing the best you can to keep your customers’ valuable information safe, protected, secure, and out of the reach of others who could use it in a fraudulent manner. Here are a few things non-compliant vendors experience when their customers’ data is not protected:
- Damaged reputation: need to rebuild trust, loss of market share, lost revenue
- Fines and fees for compromised data by the payment processor and government
- Recurring fees for non-compliance until status changes
- Loss of privilege to process cards entirely
- Loss/Closure of business due to fines and/or loss of ability to process cards
- Loss of sales to customers who find out your business is not compliant
Here is how to stay compliant
Here are some recommendations to get and stay compliant:
- Ongoing security monitoring and employee awareness training
- Use separate network for payment processing
- Use secure mobile card readers
- Use multi-factor authentication for remote access tools
- Avoid storing / emailing & faxing credit card numbers
Final tips to remember
Validation is at a point in time and compliance is a year round activity which should be incorporated in the normal business process. If you are later compromised and the reason for the compromise is because you changed a system without following a change-control policy, answered falsely on your evidence then you could be treated as if you were non-compliant and fined accordingly.