Running a business of any kind means accepting payments, often via credit card. Because thieves target these transactions, you and your customers are at risk. How much? Credit card theft cost U.S. consumers $16 billion in 2016. Making payments safe for consumers is crucial for your business reputation. As a business owner, you need to protect your customers’ financial information. Payment Card Industry Data Security Standard (PCI DSS) compliance is your solution.
PCI DSS represents a set of security standards designed to prevent credit card theft. Compliance shows that you are taking all reasonable steps to protect your customers. These include processes to prevent, detect, and react in case of data breaches.
Do you need it? Most major credit card schemes require PCI compliance. For example, Mastercard, Visa, American Express, Discover, etc., all need it. For this reason, everyone who accepts credit cards must be PCI compliant. And, while the primary goal of PCI DSS is protecting customers, it also protects you.
IBM research shows that data breaches cost businesses an average of $141 per lost record in 2016. Businesses also have a 28% chance of experiencing a data breach. If you are not PCI compliant, you and your customers are at risk. You could also be liable for data stolen from Point of Sale (POS) systems on your premises.
PCI compliance involves 2 factors; secure Point of Sale and secure business practices.
If you have PCI compliant POS solutions, you need to meet 12 requirements for PCI compliance.
Implementing these standards will enable you to mitigate data breaches.
Applying for PCI compliance requires 4 primary steps. These include different processes depending on your business setup and size. You can choose to handle everything yourself to save costs. You may also hire a Qualified Security Assessor to do the work for you.
In most cases, you can submit a self-assessment questionnaire to achieve PCI compliance. There are 9 Self-Assessment Questionnaires designed for different types of businesses. The questionnaires include 20-100+ questions and an Attestation of Compliance form. Some businesses need a Designated Entities Supplemental Validation from a Qualified Security Assessor. You may also need an independent review of your business by an Approved Scanning Vendor.
PCI compliance level represents the security risks your business faces. It changes based on how many transactions you handle per year. Different banks and credit card companies use different standards.
After you fill out documents, submit them to your bank or payment solution.
You may need an independent validation of compliance. Here, a Qualified Security Assessor will review your business on a yearly basis. If you do not need the independent validation, the Self-Assessment is enough.
Most small and medium businesses use systems and services from third-party suppliers. Unfortunately, not all vendors and suppliers offer PCI compliant POS solutions and processes. Many small businesses own older POS systems that are no longer PCI compliant. For example, an old system might store magnetic stripe data. It might also store CVV2 or PIN data which is also a risk.
A secure POS system includes:
POS solutions should be individually PCI compliant. But, if you accept payments through an application, you need to ensure that it is PCI compliant too. If you accept credit cards at your store, the direct point of sale must be compliant as well. Finally, your server and network must be compliant as well.
Purchasing a secure POS system is only the first step to ensuring that you are PCI compliant. You also need strict security standards for your business. Companies with a large internal IT department can handle this on their own. If you don’t have that, we at Exigent can help set up and manage security standards for you. See our IT security services.
PCI compliance requires you to:
PCI compliance can be time consuming and may be expensive. You may be hesitant to replace your POS hardware, but it can save you money. Losing customer information puts your business at risk. A data breach can be costly. It can also affect your reputation, your ability to accept credit cards, and even your ability to stay in business. Ensuring that you are PCI compliant will protect your business and your customers.