What is PCI and how it affects your business



Infographic - What is PCI and how it impacts your business

Embed This Infographic

Copy and paste the code below to get this infographic onto your website or blog.

For the most part, consumers understand and accept the risks that come when they provide businesses with their data. The majority recognize that this sharing of personal information enables companies to tailor the customer experience. As long as it makes life a little easier and more fun with targeted song choices, weather forecasts, and product recommendations, they will go along for the ride. However, the pleasant journey goes off the rails in no time when people’s trust is broken after a data breach. Without checks and balances in place, security gaps can lead to massive financial losses and harm to your reputation.

Your data isn’t as safe as you think.

In recent years, headlines about security breaches have hit the news on a frighteningly frequent basis. Even large corporations with massive security budgets are not immune. Although you don’t hear about small retailers being impacted in similar ways, the truth is that micro-businesses are extremely vulnerable to attacks on their data. This is true, at least in part, because their resources are often scant. Believing themselves too insignificant to bother with, they put safeguarding customer information on the back burner. In many respects, that is why PCI security standards had to come into being and why they continue to perform such a vital function. In short, merchants who accept plastic no longer have a choice; they must take concrete steps to protect customer data.

What is PCI compliance?

PCI compliance is no joke, and not even a one-person retail operation is exempt from these rules. Whether you process one card a month or a thousand a day, you must be PCI compliant or risk a data breach.

PCI compliance levels.

Each of the major credit card brands has its own set of compliance levels. If you accept different types of credit cards including Visa, Mastercard, Discover, and American Express, you may be perplexed as to which of the four compliance levels you fall under. Fortunately, all of the card companies adhere to the same specifications. Therefore, if you are at a particular level for Mastercard, you will be on the same one for any other card types as well.

PCI DSS is a universally accepted set of standards that protect customer data. Business that accept credit cards must comply, as well as all software developers and vendors that provide the hardware and software used in credit card transactions and the storage of the associated data.

How does PCI compliance affect your business?

PCI compliance is no joke, and you sign a contract to cement the seriousness of your commitment. If you fail to live up to the terms, your acquiring bank can be fined anywhere from $5,000 to $500,000. It should not surprise you to learn that your bank won’t just slap you on the wrist and pay that penalty on your behalf; they will pass it on to your business. If you are already in hot water with your bank because of past infractions, your account could be shut down altogether, and you might have difficulty obtaining one from another financial institution.

On the other hand, being PCI compliant just makes good business sense. When you can show proof that you are doing all you can to protect and promote data security, you will go a long way toward earning the trust of your customers. In the event that hackers or fraudsters attack, you will be as ready as possible for the onslaught. Because your bank knows that you have done all you could to prevent the situation, they may go out of their way to offer assistance.

What are PCI data security standards?

1. A. Your firewall should be configured to only let in necessary traffic, denying all others that come in or go out. All outbound connections from your CDE should be authorized by you. There should also be a firewall between your wireless networks and your CDE. All firewall procedures should be clearly documented.
B. In addition to changing default passwords, maintain and update an inventory of all hardware and software, assigning a system administrator to oversee and configure the components. Install any services, programs, scripts, accounts, drivers, features, and web servers. Document all policies. Encrypt all traffic, and enable only one function per server.

2. A. Write a data retention policy, and make sure all staff understand it. After cards are authorized, get rid of customer data. Hide card number and other data on receipts. Limit staff access to all forms of customer data.
B. Carefully review all of your systems to ensure that data is being encrypted, including checking with vendors. Be sure that encryption keys are valid. Monitor systems to see that they are always up-to-date. Enable TLS whenever sending or receiving sensitive information. Never use WEP, which is not secure.

3. A. Set your anti-virus program on “automatic” for both scanning and updating. Maintain audit logs, reviewing them regularly. Limit access so that users cannot alter or disable your anti-virus software.
B. Implement a change management process, and stay abreast of new security vulnerabilities. Install patches and upgrades in a timely fashion either automatically or manually.

4. A. Write and distribute a policy describing which people at which job levels have access to cardholder information, and train personnel accordingly. Configure your access controls to deny entry to those without approved access.
B. Monitor all remote accounts when in use, disabling them when not in use. Set up multi-factoring authentication for all remote sessions.

5. A. Be mindful of the security of all media. Store it in a secure place, and require staff to obtain approval before moving it. When mailing media, track its progress. When destroying media, be sure the process is thorough. Verify the identity of anyone requesting access to media and devices.
B. Maintain audit logs to track all actions taken by administrators. Review processes and logs daily, and be sure to have procedures in place that document these processes. Know ahead of time what to do if red flags appear in the logs. Keep all logs and records for at least a year.

6. Using your own staff or via a third party, run quarterly internal security scans. Use a PCI-approved vendor to run quarterly external vulnerability scans. Do an additional scan every time you make a major change to your network. If your change detection tool signals a potential problem, act on it immediately. Also run a scan every quarter on wireless access points, and plan in advance what to do if there is a breach.

As you might guess, it is crucial to develop, implement, and train staff on your comprehensive security policies both for your company and the third-party vendors with whom you work. Each employee’s role should be detailed as should plans on what to do if cardholder data is breached.