Running a business in today’s data-driven world requires compliance with various federal regulations. Depending on the industry and the type of data that you deal with, there are several such regulations to abide by and failure to do so can lead to big consequences. One such regulation that many small business owners don’t fully understand is the Payment card industry (PCI) compliance. PCI covers the technical and operational standards that must be followed in order to ensure that customer provided credit card data is protected.
So, how does PCI affect your small business? Let’s take a look.
Any and all companies that store, process or electronically transmit credit card data are required to follow PCI compliance guidelines. Compliance is enforced by the PCI Security Standards Council. PCI compliance standards, known as the Payment Card Industry Data Security Standards (PCI DSS), require these organizations to securely handle credit card information in a regulated manner that helps reduce the likelihood that sensitive financial data will be intercepted or stolen.
The PCI DSS requirements are managed by major credit card companies such as MasterCard, American Express, Visa, Discover, and others and were released in December 2004.
Identity theft and big data breaches almost always make the news in some fashion or another and one of the last things you want is press coverage due to not handling credit card information properly.
The PCI guidelines outline a series of twelve requirements that you must continually follow. We’ll go more into those requirements in the next section, but as a general overview, you’ll need to assess your IT infrastructure, the overall business processes, and the organization’s credit card handling procedures from top to bottom in order to help identify potential threats.
After that, you’ll need to address any gaps in security and have your structure set so that you avoid storing sensitive cardholder information such as driver’s license and social security numbers unless absolutely necessary. Additionally, you’re also required to provide compliance reports to the credit card companies that you work with, such as MasterCard and Visa.
The PCI Dozen
As mentioned above, there are twelve requirements for building and maintaining a secure network and system in order to fall within PCI compliance requirements. Here’s a quick look:
- The installation and proper maintenance of a firewall configuration in order to protect cardholder data.
- Eliminating the use of vendor-supplied default passwords.
- Implementing the use of encryption, hashing, masking, truncation and other security methods to protect stored cardholder data.
- Encrypting cardholder data when transmitted over open, public networks.
- Performing regular updates of anti-virus software in order to protect the systems against malware and other attack attempts.
- The development and proper maintenance of secure systems and applications.
- Access to cardholder data must be restricted to a “need to know” basis.
- Ensuring that each person with access to system components is assigned a unique identification (ID). This enables the accountability of access to critical data systems.
- Physical access to cardholder data must be restricted.
- Access to cardholder data and network resources must be monitored and tracked.
- There must be regular tests of your security systems and processes.
- You must maintain an information security policy for all personnel.
The “Fine” Print
Just counting bad press, word of mouth, and initial financial impact, suffering a data breach is bad enough for any business. However, when you start adding in PCI compliance fines, the total cost to your organization can quickly add up beyond your worst fears.
Depending on factors such as the size of your business and the degree and length of your non-compliance, fines can range from $5,000 to $100,000 a month. If issues aren’t resolved quickly, fines can rise each month until you’re in compliance. Furthermore, failure to comply can eventually result in your ability to take credit cards being completely revoked.
It can get worse!
The credit card brands themselves can actually fine you for a data breach, even if you’re in compliance with PCI rules. That’s right, they can impose separate penalties and while they don’t publicly publish the amounts of these additional levies, those organizations that aren’t within compliance are highly likely to be fined more than those that are.
Data security simply has to be a top consideration for all organizations, especially those that deal with credit card and health information. PCI compliance may seem like “much ado about nothing,” especially when you consider how many data breaches there are each year, but these days you definitely don’t want to get caught without it.
A PCI Solution
If your business relies on accepting, processing or storing credit card information, PCI can be your biggest burden. However, choosing the right partner with the right experience can take a rather large part of that burden off your shoulders.
Contact Connectria for more information. We’re a partner that will ensure that your PCI compliance needs are met and maintained. Our engineers can help you set up your environment so that it meets your regulatory compliance needs and if you desire, we provide ongoing, 24/7/365 managed services to help ensure that your environment stays compliant.