PCI compliance for business is all about your processing of debit / credit card payments, and ensuring your business is handling and storing the data according to certain regulations. In the most basic sense, if your business accepts card payments in any fashion, you must become PCI compliant.
However, it’s also true that PCI compliance is not a legal requirement. Instead, fines for data breaches would be given to the banks by the providers who make up the Security Standards Council: American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc.
If your business isn’t compliant and there’s a data breach, your bank provider could choose to pass these fines onto you, or terminate your business bank account entirely, as you are seen as posing a significant risk of customer data leaking.
With that in mind, however difficult it may seem to become PCI compliant, the risks of not being compliant are far more impactful to your business than you may anticipate.
Barring the financial penalties, the reasons you should pursue PCI compliance are twofold:
Firstly, it gives financial institutions confidence in your business as one that protects the public’s data, which increases public confidence in the reputations of the financial institutions and your business.
Secondly, it is because the loss of credibility and trust that would follow a security breach would be immensely damaging at every level.
Putting customers’ credit at risk causes them long-term problems, and they may choose to spend their money with other, more secure, businesses. The leaking of their data also causes reputational damage to the financial institutions involved, which is why they are keen to ensure data is in safe hands and dealt with responsibly.
In the journey to becoming PCI compliant, there are 12 steps you must complete, which the SSC separate into 6 separate goals.
The core of the first goal is ensuring that access to your systems is protected in a number of ways. Your business should have a firewall policy in place that should also be tested frequently to ensure its strength and ability to protect any data you hold.
The SSC also suggest that vendor-supplied passwords for any hardware or software are changed immediately to unique and secure passwords that cannot be simply guessed, as default passwords usually are. To further this security provision, they also suggest updating the passwords once every 90 days at least.
The second goal is mainly if you are a business that does choose to actively store any cardholder data, for example in a database or physically in a locked filing cabinet. It is recommended, however, that you do not store any card data unless you absolutely must. Any data that you do hold on site becomes a risk if you aren’t fully PCI compliant at any point, which would lead to large fines and customers losing faith in you as a business.
You should also never keep data such as customer’s PIN or card validation codes at any time. To keep cardholder data protected, you should combine virtual and physical safety measures. Passwords and authentication procedures, for example, cover the virtual measures, while locked cabinets and limited access to the server would cover physical measures.
You should also ensure that you encrypt the transmission of all data. Doing so ensures that anyone who does not have the correct cipher will not be able to read the data that has been encrypted, making this a vital security measure.
To maintain a Vulnerability Management Program, you need to have a robust anti-virus system in place. You should be continually scanning your software for any malicious viruses, and continually updating your anti-virus software to ensure that it can stop newer viruses.
This also means that all your card payment systems should be made secure, such as by your card payment provider continually updating their systems to halt any security exploits. By keeping yourself prepared at all times, instead of having to react to breaches, you can ensure that every step of the payment process is secure at all times.
This goal is essentially making sure that only those who have a definite need to access cardholder data can do so. The theory is that the fewer people there are who can access the data, the lower the chance of any breach. All your staff should be provided with a unique ID for computer access, and should follow all best practise guidelines, such as authorisation and frequent password resets.
If you hold your data offsite, this step is still a necessary requirement. It just means that your provider is the one who should limit access to any data instead of your business. Just because it is held offsite does not mean they are able to provide a lower level of security. The third party provider still must ensure sufficient security every step of the way.
While you should make sure that only the necessary people have access to cardholder data, you still should track who accesses the data and when. If a security breach does happen, having accurate logging systems in place may help your provider find the root cause and fix it as soon as possible. Regular testing also helps to constantly keep customers and businesses safe in the knowledge that the network, and the cardholder data held in it, is fully secure.
Becoming PCI compliant is a big undertaking, and may feel like a lot of work. FSB can provide you with a range of benefits that will improve the state of your business’s card payment systems, such as:
If you’d like to find out more, take a look at our Card Payment Processing page, or speak to a member of our team.
Provided by Worldpay, the UK’s leading payments provider, FSB Payments can help you wherever you’re doing business – face-to-face, online, over the phone or by email.