In December 2004, the world’s five leading payment card brands – American Express, Discover Financial Services, JCB, MasterCard and Visa – collaborated to create a worldwide standard for protecting consumer cardholder data. Most recently updated in August 2009, the Payment Card Industry (PCI) Data Security Standard (DSS), is a compilation of best practices for securing data throughout the information lifecycle.
The guidelines of the PCIDSS are thorough, however since its initiation, there have been loopholes in the application and enforcement of the standards.
The problem? High-volume businesses (particularly online businesses) must have their compliance assessed by an independent assessor known as a Qualified Security Assessor (QSA), however companies handling smaller volumes have the option of self-certification via a Self-Assessment Questionnaire (SAQ). This is where the problem comes into play. We have all filled out balloon answer sheets at some point in our lives and know how easy it is to check off all the right answers without thinking twice about the repercussions. “I am a small business owner. I have way too much on my hands to do this procedure every day. I will just do it once a week instead.” Sound familiar?
Well, think twice. If you get caught, even without having your system hacked and information stolen, you could be facing hundreds of thousands of dollars in non-compliance fines-easily enough to put most of us small-business owners far underground.
The PCIDSS requirements are simple if approached systematically. They are outlined below:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software on all systems commonly affected by malware
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security
Unfortunately, there are many small business owners that either feel that the above twelve standards are too complicated to implement, or that they are somehow a special exception and the rules don’t apply. Wake up call! These rules DO apply to any business or organization, for-profit or non-profit, that accepts credit or debit card payments.
Look at it this way: Any successful business makes its customers a priority. The PCIDSS guidelines are just another step in keeping your customers safe and happy, and are the very minimum you should be doing in that regard. Every time a customer hands you a credit or debit card, they are trusting that you will process their information safely.
If properly maintaining the twelve PCIDSS guidelines seems like an unmanageable task, you should consider using a third-party payment service. Especially when it comes to online transactions, customers are always more comfortable going through services such as PayPal and Authorize.net. It is really a win-win situation, as these companies deal with all the credit card information and simply post a deposit to your account.