PCI Compliance - What It Is and Why You Should Be Concerned About It
Cases of identity theft over the last decade have forced people to be more careful before sharing their financial information online. This wariness has also been extended to retail stores where people purchase items using their credit cards. This is not surprising considering 16.7 million people were victims of identity theft in 2017. A whopping $16.8 billion was stolen from these people according to Javelin Strategy and Research.
People need assurances that you have, at the very least, complied with rules in place to prevent a data breach. This is the reason major credit card companies such as Visa and MasterCard came together to set up Payment Card Industry (PCI) compliance standards in 2006.
Failure to meet these standards can attract fines of between $5,000 and $100,000. You can also be punished with higher transaction fees as well as losing your ability to process credit card payments. You'll need to strictly adhere to these standards as well as ensure there is training to protect customers' credit card information.
Below are the standards you need to follow to be fully compliant:
1. Keep a Secure Network
The network a person’s credit card is exposed to needs to be secure. A web server presents the most obvious challenge in terms of security. This is why many retailers prefer to use hosting companies who take up the responsibility of ensuring that the network is secure. Not all hosting companies can guarantee this security, so you need to be extra careful when deciding on a hosting company.
If yours is a self-hosting company, you will need competent Information Technology (IT) personnel who are capable of handling issues fast. If you keep cardholder information such as contact numbers on the computer, you need to make sure that a proper firewall is in place.
2. Protect Cardholder Data
It is common practice in the e-commerce industry to store cardholder information for marketing purposes in the future. However, you are expected to protect that data so that no unauthorized person can access it.
This means encrypting the data before storing it. That way, even if there is a data breach, the information cannot be decrypted. The PCI standards state that the data must be encrypted with at least a 128 bit SSL certificate. You'll need to strictly protect the cardholder data as well as ensure there is training to protect customers' credit card information.
3. Vulnerability Management Program
Having anti-virus software in place is a standard practice across many businesses. Nevertheless, this software needs to be updated regularly.
Black hat hackers develop new malware almost every day. You need to be sure that the software in place can thwart this malware.
4. Implementing Strong Access Control Measures
In these perilous times, only a few people should have security clearance to the cardholder data. This significantly reduces the chances of a security breach. You can take security a step further by assigning each person with access to cardholder data unique ID that will help you keep track of a security breach. The passwords should be updated regularly.
Having a security guard at your data center to prevent unauthorized personnel from accessing the data is also an important step.
5. Monitor and Test Networks
Keeping up with the security measures to take can be challenging. It is not always easy to identify threats to the system.
Monitoring and testing the system will, however, give you a clear indication of the vulnerabilities that you need to look at. These tests should be done regularly.
6. Maintaining an Information Security Policy
If an employee is liable for a security breach, they can easily avoid legal problems if they claim ignorance. However, if you have an information security policy, all employees will know that there will be consequences should a breach originate from them.
Always make sure that they fully comprehend the policy.
In conclusion, recent events have brought the discussion of data breaches to the forefront. The legal ramifications and public relations nightmare these companies have experienced have been an eye-opener for many companies.
You do not want yours to be next. Besides, it is good business practice to maintain the trust your clients have placed in you.