If you process payments in any capacity in your business, you’ve likely hear of PCI DSS. PCI stands for Payment Card Industry Data Security Standards, and it is a critical component of any organization’s security program operating in the payment sector. If you store, process, or transmit credit card information, PCI compliance is required and can provide greater assurance to your customers and partners that you run a strong security program. Violation of PCI requirements can lead to many negative consequences including fines, damages to brand reputation, and exposed risk to data breaches.
Here’s what you need to know about PCI and PCI compliance, and why each is so critical in modern payment processing.
PCI Compliance Requirements
- Create and maintain a firewall configuration for the purpose of protecting cardholder data
- Avoid using vendor-supplied defaults for passwords and security parameters throughout your system
- Take steps to protect all stored cardholder data
- Encrypt transmission of cardholder data across both open and public networks
- Use antivirus software and update it regularly
- Develop secure systems and applications and maintain them accordingly
- Restrict all access to cardholder data to only key roles within your business
- Assign a unique ID to each person using a computer within your system
- Restrict all physical access to cardholder data
- Track and monitor any and all access to network resources and cardholder data
- Test security systems and processes regularly
- Maintain a comprehensive security policy and ensure that all personnel are on board
What Happens in Cases of Non-Compliance?
Fines and Fees
When you fail to comply with PCI guidelines, you risk fines ranging from $5,000 to $10,000 per month, depending on both the severity and length of your non-compliance. As if that weren’t bad enough, credit card companies will likely also raise your transaction fees following a bout of non-compliance. You may also incur additional costs, like client compensation, forensic investigation and remediation costs, or increased bank rates.
During non-compliance, payment brands may place restrictions on your organization’s ability to process card transactions. In some severe cases, your servicer may terminate your transaction services completely, until you reinstate compliance.
Finally, falling out of compliance with PCI creates a risk of data breaches, which can have a pronounced negative impact on your brand reputation and security. Often, data breaches create pronounced public backlash and lost customers, as well as ongoing reputation issues. Here’s what The PCI Security Standards Council has to say about the impact of data breaches:
“The breach or theft of cardholder data affects the entire payment card ecosystem. Customers suddenly lose trust in merchants or financial institutions, their credit can be negatively affected — there is enormous personal fallout. Merchants and financial institutions lose credibility (and in turn, business), they are also subject to numerous financial liabilities.”
Quick Tips for PCI Compliance
- Buy and use only approved PIN entry devices at your point-of-sale
- Buy and use only validated payment software at your POS or website shopping cart
- Do not store any sensitive cardholder data in computers or on paper
- Use a firewall on your network and PCs
- Make sure your wireless router is password-protected and uses encryption
- Use strong passwords. Be sure to change default passwords on hardware and software – most are unsafe
- Regularly check PIN entry devices and PCs to make sure no one has installed rogue software or “skimming” devices
- Teach your employees about security and protecting cardholder data
- Follow the PCI Data Security Standard
Ensuring PCI Compliance at All Business Phases
- PCI DSS Overview and History
- Risks of Non-Compliance
- Understanding Merchant Levels
- Stakeholder Roles and Responsibilities
- PCI DSS Requirements
- Scoping and Descoping Methods
- PCI Audit Process
- Milestones for Prioritizing PCI Compliance Efforts
Apptega provides software that can help you build, manage and report your cybersecurity program based on PCI DSS or12+ other standards. Apptega helps to simplify the complexity of PCI DSS, eliminate spreadsheets and help you document and report on an organization’s change and configuration management as part of its overall plan. Plus, with Apptega’s Harmony you can see how your PCI controls overlap other frameworks you are required to follow likeISO 27001,SOC 2, NIST, HIPAA, GDPR,CCPAand more.
We’d love to show you more on how we could help.