How do merchants keep customer credit card data safe from prying eyes, those of potential hackers and company employees? The answer is the PCI-DSS, or Payment Card Industry Data Security Standard. The PCI-DSS is a massive set of rules that were written to maximize the security of consumer credit card data at the point of collection, in storage, and during transmission. There’s even a regulatory body, the SSC, or Security Standards Council, that manages and administers all the individual rules within the DSS. As far as enforcement, each of the credit card companies is responsible for making sure their participating merchants follow the DSS guidelines.
It’s important to note that there are major benefits of staying in compliance as well as serious consequences for merchants who run afoul of the rules. Credit card spending is the single largest engine of the global retail economy, with more than $3 trillion of available credit in the U.S. alone. Merchants who want a piece of the economic action have to play by the rules. Those who don’t are cut out of a huge portion of potential business.
Compliance Requirements
Every industry has its rules and regulations. For companies who want to maintain legal accounting records, which is the law in most states, there are the FASB rules, set out by the Financial Accounting Standards Board. For medical entities, HIPPA laws help keep patient information confidential. In the PCI (payment card industry), there are 12 rather detailed rules that spell out exactly what a merchant must do to stay in compliance and thus maintain security of customer data. Of course, the full, official document that includes the regulations is many pages long, but it’s possible to summarize each of the major points in a few sentences.
- Encryption: Any customer-related data that travels anywhere, after it enters your payment system, needs to be encrypted on at least one level, preferably two levels. That means both the data itself and the encryption keys must be encrypted for maximum security.
- Passwords: It’s not enough for all employees to have unique passwords. All parts of the payment system within a company need to require passwords for everyday access. This rule pertains to any part of a company’s digital environment that contains, or is closely connected to a part that contains, customer credit card or account data. Additionally, merchants should make certain that access passwords are changed regularly, are not the same as the default passwords that came with the payment software or hardware, and are complex enough to avoid hacking.
- Firewalls: Every computer system operated by a merchant must contain effective firewalls, either the ones that came with their original operating system or an upgraded version that was installed later.
- Anti-Virus Protection: All merchants must maintain a capable anti-virus software. It’s their choice to pick from multiple versions on the market, but they must, in any case, choose one and implement it.
- Safe Transmission: All customer data must be transmitted safely and securely whenever it moves from the point where it entered your payment framework.
- Up-To-Date Software: Software upgrades are essential for keeping systems secure and safe from hackers. Most products allow for auto-updating, but a few require manual assessments every few weeks or months. Whatever software products a merchant uses, it is the merchant’s responsibility to keep those products up to date and functioning properly.
- Access IDs: All persons who gain access to consumer data need to have a specific, unique ID in order to do so.
- Restriction of Data Access: There should be a written policy and logbook pertaining to who can see various pieces of customer data, when, and why. This data access restriction is included in the guidelines for the sole purpose of making sure that anyone who views consumer credit card data is doing so on a “need to know” basis.
- Physical Safeguards: All customer credit card data should be maintained in a secure fashion, which includes storing digital as well as hard-copy files in a secure place.
- Scanning and Testing: All PCI systems should be scanned and tested on a regular basis. Some merchants have the capability to do this chore themselves, while others hire a third-party to do the chore for them. Either way, you need to do vulnerability tests several times per year.
- Access Log Maintenance: Everyone who has access to customer credit card and account data should be noted in the access log, which also serves to keep a detailed record of when each access event took place and what data was accessed.
- Compliance Documentation: Every level and type of compliance action should be documented in some way, whether automatically via a software system or manually by a human operator. For the purpose of compliance audits, this kind of documentation is essential. However, it also serves the purpose of helping business owners find problems in their security processes.
The 6 Major Benefits of Compliance
Business owners who take the time to understand exactly what PCI compliance consists of are in a much better position to reap its benefits. While there are all sorts of harmful things that can happen if you fall out of compliance (see next section), the incentive to work within the system are huge. Here are some of the most commonly cited benefits of adhering to the 12 guidelines:
- More Customer: When your systems are properly maintained, in full PCI compliance, and fully secure, your customers can rest assured that their data is safe. Happy customers often become repeat customers. So, staying in compliance offers “security and data safety” as a lure to potential and current customers.
- Product brands will want you to offer their goods: Vendors and manufacturers will gravitate to your store if you can show that you are in PCI compliance. When these potential business partners realize that you run a fully compliance operation, they’ll have an incentive to partner with you.
- You’ll minimize data breaches: It’s best to think of PCI compliance as a process rather than a one-time action. By constantly upgrading and updating systems and software to remain in compliance, you’ll be helping to keep breaches and hacking incidents in check.
- It trains you to comply with other regulations: The business world is full of rules, laws, and regulations. When you learn to stay in constant PCI compliance, your company will be better able to navigate other regulatory frameworks like SOX, FASB, and HIPPA.
- Compliance boosts corporate security: Even if you have no other corporate security methods in place, PCI compliance efforts can serve as a very good first attempt at achieving a fully secure data environment.
- It encourages IT infrastructure growth: By its very nature, PCI compliance will teach you how to create a better IT infrastructure. That’s because so many of the rules pertain to data security and maintaining customer confidentiality. Both of those things are closely related to tech infrastructures that help keep all sorts of business systems running smoothly.
What Are the Consequences of Non-Compliance?
It’s good to use the benefits of compliance as an incentive to work within the rules. Most entrepreneurs find that’s enough to keep them on the proper side of the regulations. However, for those who stray from the guidelines, there can be some very serious consequences. The primary downsides of non-compliance include the following:
- Fines by government agencies, insurance claims against your company, lawsuits filed by aggrieved customers, large fines from issuers of payment cards, and accounts being cancelled
- Harm being done to merchants, customers, and institutions by a data breach
- A major blow to your corporate reputation, which usually leads to a complete inability to conduct your daily operations at profit
- A loss of sales resulting from breaches of account data
Smart Strategies for Meeting PCI Requirements
At Metro Payment Technologies, our teams work with merchants to help with regular system scanning. This is the best way to assure continued PCI compliance. To learn more about how we can help you quickly and easily scan your payment systems for compliance issues, visit our website at metropaytech.com, call us toll-free at your convenience at 1-800-771-3719, or send an email to service@metropaytech-com.stackstaging.com. We look forward to hearing from you and assisting you with keeping your payment systems PCI compliant at all times.