Does my Business Need to be PCI Compliant?
The short answer is Yes!
As a small business owner, PCI (Payment Card Industry) compliance may seem like just one more hurdle to be crossed and one more set of regulations to stick to, but it’s much more. Non-compliance doesn’t just attracts penalties and fines, it can seriously impact your brand, reputation and customer loyalty.
With credit cards ruling the roost and 67% of Americans owning at least 3 credit cards, cash and check payments seem to be gently fading into the past.
Because of this, the card industry is is ever vigilant against fraud, data breaches, identity/data theft and a variety of scams. Common issues include:
- fraudulent applications using stolen documents
- skimming or credit card imprint
- card not present (CNP) fraud when cards are used for making online/mail/phone payments
- counterfeit cards
- card theft
- ID theft involving creation of fake cards
- card intercept
- takeover of account
The major card companies had set up their own individual security standards for collecting, storing, processing and transmitting card holders’ data. In 2004, these companies combined their efforts and set up a common set of standards.
What Is PCI Compliance?
The PCI DSS (Data Security Standard) is a set of mandatory requirements set up, developed, and maintained by the PCI Security Standards Council. These regulations have been modified and updated over the course of the last 15 years since they were first formulated in 2004. Currently, the version in operation is 3.2.1 which was released in 2018.
All companies and organizations that handle credit and/or debit cards have to meet these standards. They can do this directly or through a compensating control which may or may not be available to them.
There are six major areas that are described as control objectives: building and maintenance of secure networks/systems, protection of cardholder information, vulnerability management, access control measures, regular monitoring and testing of networks, information security policy.
The terms of compliance include 12 factors:
- Install/maintain a secure firewall to protect cardholder information
- Change vendor-supplied default settings for passwords/security parameters
- Encrypt, mask, hash, truncate etc to protect cardholder data
- Protect stored cardholder data
- Install/Update reputed, reliable firewalls and anti-virus software
- Fix vulnerabilities immediately
- Control access to cardholder data on a need-to-know basis
- Enable accountability of those with access to cardholder data through creation of unique IDs
- Physical access to data has to be restricted
- Install logging mechanisms to track user activity of those with access to cardholder data and network resources
- Enable regular testing of security systems and processes
- All personnel should be covered by a robust security policy that sensitizes them to the nature of the data and their individual and collective responsibility
Along with these guidelines, companies have to assess their own IT infrastructure, business processes and card handling methodology to locate and identify the potential gaps in security.
Non-compliance means your business and your customers remain unprotected. Consumer protection cases can be lodged against you, you could lose the right to accept card payments and penalties may be imposed till you demonstrate full compliance.
For more information on whether your business needs to be PCI compliant, or to sign up for a merchant account, please call (888) 924-2743 or go to Charge.com.