How can you protect your customers from a data breach or identity fraud? Learn the basics of PCI compliance here.
Stories of data breaches and identity fraud have become so commonplace in mass media that business owners may be led to believe there is little that can be done to thwart cyber criminals.
USA Today reported an astonishing 43 percent of organizations experienced a data breach in 2014 (representing a 10 percent increase from the year prior).
However, there are many ways businesses can proactively keep customer data safe, particularly during credit and debit card transactions.
Here is a look at what the security standard, PCI (Payment Card Industry) compliance entails, and what it means for your business in regards to keeping customers safe.
What PCI Compliance Is — and Isn’t
PCI compliance refers to adherence to a set of standards established in 2006 by the Payment Card Industry. The standards were developed to ensure that any organization that processes, stores or transmits credit card information maintains the highest level of security possible.
Though PCI compliance isn’t “law” it’s a set of constantly evolving standards that exist for the protection of merchants and the customers who trust them with sensitive financial data.
How to Verify Whether Your Current Processes Are PCI Compliant
Though the standards of PCI compliance are frequently updated to reflect the latest trends in data breach-related activity, PCI compliance standards categorize merchants into one of four levels, based on the credit card brand they accept, and the number of credit and debit card transactions they process over a 12-month period.
Confirm which level your business falls into for each payment card brand you accept (such as Visa, MasterCard, American Express or Discover), and the volume of transactions you process for that brand. With Visa, for example, “level 4” PCI compliance standards apply to small- to medium-sized businesses that process fewer than 20,000 transactions via e-commerce channels; or fewer than one million credit or debit transactions in any channel.
For e-commerce providers meeting this criterion, PCI compliance requires that payment acceptance and processing pages are delivered directly from a third-party, PCI-validated service provider. (Note that simply having popular e-commerce security measures in place, like an SSL certificate, does not ensure PCI compliance).
Regardless of whether you sell online, from a fixed point-of-sale terminal or via mobile payments, a significant component of PCI compliance relies on choosing providers that guarantee PCI compliance throughout the entire transaction process. This includes staying current with the latest iterations of standards dictated by the Payment Card Industry Security Standards Council.
How to Educate Your Staff on Best Practices for PCI Compliance and Security
While many aspects of PCI compliance include technology processes, many security breaches originate through the physical manipulation of a point-of-sale device, or through innocent mistakes made by customer-facing staff who process customer credit and debit card payments.
Related Article: PCI Compliance: What It Means to Your Digital Security
Educate your staff on PCI compliance basics. For example, your business is never to retain a customer’s credit card number in full by writing a credit card number in the event that a connection to a processing terminal becomes temporarily disabled.
If members of your team process mobile payments at off-site locations (like a festival or trade show), confirm they access only secure and private password-protected Internet connections to process payments, taking care to avoid the use of public Wi-Fi hotspots.
Perform Consistent and Ongoing Security Scans
In addition to physically checking the condition of point-of-sale terminals and card readers to confirm that no suspicious stickers or hardware have been affixed, or terminals moved, the PCI security council also recommends that organizations conduct internal and external vulnerability scans, every quarter or 90 days.
This process should include reviews of external connections like firewalls that hackers could potentially penetrate. It should also validate internal systems including network security, applications and portable computer devices that can introduce malware whether accidentally, by a terminated member of your staff, or vendor with dishonest employees.
Though accepting customer credit and debit card payments has become a business norm, it does task your business with the added responsibility of keeping sensitive customer data safe. By understanding the basics of PCI compliance, you can protect your business from unnecessary risk, and ensure your customer transactions are secure.