Why is PCI compliance important?
The (PCI) Payment Card Industry’s Security Standards Council was established to assist merchants protect card holder data. The PCI SSC founding members are American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.
Goals of the PCI Data Security Standard
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
- Customers worry about theft of their data.
- You should worry about business fallout.
More than 340 million computer records containing sensitive personal information have been involved in security breaches in the U.S. since 2005. Now criminals are shifting sights to small merchants because many have lax security for cardholder data. More than 80% of attacks target small merchants. If you are at fault for a security breach, business fallout can be severe:
- Fines and penalties
- Termination of ability to accept payment cards
- Lost confidence, so customers go to other merchants
- Lost sales
- Cost of reissuing new payment cards
- Legal costs, settlements and judgments
- Fraud losses
- Higher subsequent costs of compliance
- Going out of business
What data thieves are after
The object of desire is cardholder data. By obtaining the Primary Account Number (PAN) and sensitive authentication data, a thief can impersonate the cardholder, use the card, and steal the cardholder’s identity.
Sensitive cardholder data can be stolen from many places:
- Compromised card reader
- Paper stored in a filing cabinet
- Data in a payment system database
- Hidden camera recording entry of authentication data
- Secret tap into your store’s wireless or wired network
Defining “sensitive cardholder data”
Everything at the end of a red arrow is sensitive cardholder data. Anything on the back side and CID must never be stored. Everything else you store must be for a good business reason, and that data must be protected.
You must secure cardholder data to meet Payment Card Industry rules!
Small merchants are prime targets for data thieves. It’s your job to protect cardholder data at the point-of-sale.
If cardholder data is stolen – and it’s your fault – you could incur fines, penalties, even termination of the right to accept payment cards!
HOW TO SECURE?
Let the PCI Data Security Standard guide your program for security
The PCI DSS has become a model framework for security. It has best practices representing years of experience from security experts around the world. The standard works for the biggest corporations. And it will work for you!
Quick steps to security!
- Buy and use only approved PIN entry devices at your points-of-sale.
- Buy and use only validated payment software at your POS or website shopping cart.
- Do not store any sensitive cardholder data in computers or on paper. Never print the full card number on a receipt.
- Use a firewall on your network and PCs.
- Make sure your business network wireless router is password-protected and uses encryption.
- Use strong passwords. Be sure to change default passwords on hardware and software – most are unsafe!
- Regularly check PIN entry devices and PCs to make sure no one has installed rogue software or “skimming” devices.
- Teach your employees about security and protecting cardholder data.
We at Frontline Processing are here to help. We’re all in this together. Protecting card holder data is in all of our best interests and it’s not as scary as it might sound. Call us at 406-585-7443 or email us atPCI@FrontlineProcessing.com for assistance.