What your business needs to know about PCI Compliance
PCI Compliance.
Whenever I mention that term to a room full of business executives, the room gets gets really really quiet. Things are about to get serious. Businesses know they need to be “PCI Compliant” but there is a bit of mystic of what that means. Who needs to do what? Is it an IT issue or a Business issue? Is it legal paperwork or a gadget that needs to be purchased?
These are the type of questions that follow so let’s break it down:
What is PCI Compliance?
The Payment Card Industry Data Security Standard (PCI-DSS) is an arrangement of prerequisites that essentially says in the event that you are a company that operates, stores or transmits customer’s credit card information, you need to do that safely.
Additionally, they direct the steps the company needs to follow to be secure.
It’s controlled and overseen by the PCI Security Standards Council, a free body made by a portion of the significant installment card brands.
Who needs to be “Compliant?”
Any businesses that accepts credit card payments must uphold to PCI compliance. If your business does, then you should train your team.Click here for more info on how to protect your clients’ information.
Why should I care to be PCI Compliant?
The simple answer is that if your business suffers a data-breach and customer credit card information is stolen, then your business is liable for fines, fees, and penalties. A fine of approximately $250,000 will be issued for losing 10,000 credit card numbers and additional fees for a PCI assessment which could cost the business an additional $50,000-$100,000.
Of course, should your business be responsible for being negligent, customers are going to lose trust and will probably take their business elsewhere.
How can you become PCI Compliant?
Here are some tips that will make your PCI Compliance process simpler but note that these are not to be taken as legal or consulting advice but rather a simplified way to understand PCI requirements.
1. Secure Your Computer with Firewall and Antivirus Software
Securing information means having an up-to-date antivirus software on your computer and a firewall on your network. This should already be in place not just for PCI compliance, but to protect the business files and systems and of course, customer’s information.
2. Never Keep Credit Card Information on Your Own
Customers want to know that when they hand over their sensitive information such as their credit card numbers, expiry dates and security code (CVV) and mag-stripe data, that this information isn’t stored in an Excel spreadsheet on someone’s desktop.
If you need to store this information for billing purposes, there are great 3rd-party tools such as, secure credit card vault, that will safely store the info and allow you to use the card when needed.
3. Make Sure That You Are Using a Hosted Payment Page
It is common practice for customers to finalize their “checkout” and payment on a page that is hosted by a 3rd-party. This reassures the customers that your business doesn’t keep their credit card info.
4. Make Sure That You Have a Great Password Policy
An easily guessable password is the simplest way for a data breach to occur. Therefore, ensure that within your business there is a strong password culture which forces everyone to change their passwords monthly. While this not “convenient” neither is recovering from
a data hack which could take years to build customer trust.
5. Make Your Payment Terminals Protected
Customers expect business owners to have a secure point of sale devices. Therefore, it is important to conduct regular checks on those devices to ensure that no malicious software has been added. You can train your employees, especially your cashiers, to observe the POS and report anything unusual.
So in summary:
Just like you expect your credit card information to be safe when you shop online or at your favorite shop, your customers expect the same from your business. PCI helps you to ensure that if you follow the steps, then the data would be safe even in the event of a data breach.