PCI stands for Payment Card Industry, and it’s recognized throughout the US as an accepted standard for card security. It’s not a legally mandated requirement, but complying with PCI requirements increases the confidence of both your customers and your financial backers. PCI terms may be slightly different based on the nature of your business.
For example, in a service-based business like a restaurant, lots of different employees will handle your portable card readers. They include waitstaff, delivery people, or potentially even the kitchen staff. Use a different user ID for every single employee that carries the POS. That way it’s easy to trace any problems or security breaches.
Avoid mobile recording devices
Similarly, a call center will have staff constantly asking for customer details as they resolve their problems. Consider banning personal tablet and mobile phone use while on duty, since these can be used to save customer data. If anything must be written down, use a whiteboard rather than pen and paper. The board should be frequently erased throughout a shift.
Call center interactions are always recorded, but train your agents to pause the recording when a customer is giving their card details. This way, there’s no stored recording that can be stolen by criminals. Some software actually incorporate the pause function automatically. When it detects that card details are being shared, it reflexively pauses the recording.
Assess your compliance levels
Before you enforce PCI compliance, you have to audit how well (or badly) you’re doing. PCI divides ecommerce entities into four levels:
- Level 1: Over 6 million card transactions per year
- Level 2: From 1 million to 6 million card transaction per year
- Level 3: From 20, 000 to 1 million card transactions per year
- Level 4: All merchants that don’t fall under Levels 1, 2, and 3
Level 4 is the slowest level, and covers less than 20,000 card transactions per year. Generally, there are 12 guidelines that are used to grade PCI compliance. Each level needs a different kind of audit. Check on your internal security systems and see who exactly processes cards and how careful they are with customer data. Test passwords and physical access to file rooms and computer monitors.
The 12 requirements of compliance
Look through your FAQs and customer complaints regarding card security, transaction delays, or other card-related issues. To ensure compliance, achieve and maintain the following guidelines:
- Install and update firewalls.
- Set strong non-default passwords.
- Protect your customers’ data.
- Encrypt data over public networks.
- Install, use, and update your antivirus tools.
- Create and enforce good security protocols.
- Restrict access to customer data.
- Give each staff member a distinct user ID.
- Restrict access to customers physical cards and data.
- Track and monitor access to computerized data.
- Test your security systems frequently.
- Establish, maintain, and update a written security policy.
For more information on remaining PCI compliant, or to sign up for a merchant account, please call (888) 924-2743 or go to Charge.com.