Understanding the Law: PCI Compliance
Full disclosure: We are not attorneys or experts in the law and this is not legal advice. Please consult your attorney and do your own due diligence if you have questions or issues.
It’s all about the data. Customers have to trust that the personal data they provide you by punching in their card number on your website or swiping their card at your register will be kept safely and securely. Without that assurance, sales in the digital age aren’t really possible. Sure, you want to make transactions easy, but you also want to make them secure. Customers have enough to worry about without fretting about their identities being stolen or their credit cards being hacked. It is your job to help minimize their risk.
This is where PCI compliance comes into play. PCI compliance or the Payment Card Industry Data Security Standard (PCI DSS) is really a set of standards that companies who accept, process, store or transmit the personal data contained on debit and credit card must adhere to. Unlike many other standards, it’s not administered by the government, but instead by a conglomerate of the major card issuers like Visa, MasterCard, Discover and American Express. These card issuers have the power to enforce civil penalties of up to $50,000 and permanently bar you from accepting card payments of any kind. If you want to process card sales (and you most likely do), you’ll need to follow these standards.
Create and maintain a firewall. It’s your first line of defense against somebody waltzing into your network to sift through your customer’s data. Make sure to run regular tests to ensure your firewall is up to the job.
Encrypt transmission of cardholder data. It’s important to secure data not just on your network but also when it’s transmitted. Just as spies use codes for sensitive information, encryption adds another barrier to hackers trying to intercept your data stream.
Use antivirus software and update it regularly. While they may have anti-virus software, many companies don’t keep it up to date. Make sure you and your staff are trained in how to update this software and only work with antivirus vendors who have an established and good track record.
Be careful using third-party apps. Some of these apps are great. They can save you time and effort, providing handy workarounds when your regular systems come up short. However, every new app is a potential security risk, so make sure each one you use is thoroughly vetted.
Limit physical access to cardholder data. Only those employees who have an absolute need for access to customers should have it and then only for specific tasks. You should also assign unique IDs to all users, so you know who has access, when they have access and exactly what they’re doing with that access.
Continually test your security systems. Even the best security gets a little long in the tooth. Weakness will be discovered, or backdoors found. If you don’t test it, then sooner or later somebody outside your company will.
Create and adhere to a security policy. There’s nothing better than writing it down. It avoids any confusion because there’s a written guideline to follow. It also emphasizes the importance of good data security habits to you and to your staff.
Trust is an essential part of any business transaction. Customers have to have faith that you’ll be a good steward of the data they give you. PCI compliance is a great way to ensure that you’re worthy of that trust, both for the initial sale and afterward.