Are you PCI compliant? If you take credit card payments, you’d better be.
The Payment Card Industry Data Security Standard (PCI DSS) was designed to ensure that any organization that processes, stores, or transmits credit card information does so in a secure environment. In basic terms, anyone who has a merchant ID, regardless of size, falls under this realm and the deadline to be compliant is now. The first phase of the standard went into effect on July 1, 2010. Any merchant that uses a third party software for processing credit cards must use a validated application.
There are 12 requirements that must be met in order for an organization to be compliant. The basic principles can be summarized under the following areas:
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
Your bank will be the one who enforces compliance and they are also the ones that can assist you in becoming compliant. In addition, there are Self-Assessment Questionnaires that can be completed to help determine where you stand. Many banks will test your systems for you; however, there may be a small fee involved. On the flip side, the penalties for being non-compliant will certainly be more. Although PCI is not law, it is a standard that was created and is mandated by the major credit card companies (Visa, MasterCard, American Express, etc.). Their service providers may subject merchants to fines, forensic audits, damages, and more should a breach happen or if they find that a merchant is not compliant.
Does the fact that the software you use to process credit card information is PCI compliant mean that the data is secure? Not necessarily. Many organizations will only do the bare minimum to be able to say they have satisfied all the requirements. Remember the intent is to protect your members’ data. Steps need to be in place to secure the data before and after it is processed, especially as it relates to transactions received internally and not processed via the web. These steps include:
- Ensuring that full credit card numbers are not kept on file. You should only retain the last 4 digits;
- Procedures are in place to secure credit card information received via fax or mail
- Continual training of staff on internal controls
At a time when fraud and security breaches are on the rise, it is important that all employees are aware of the need to secure your members’ data. This education starts with the administrative assistant or clerk who receives credit card information for processing and continues up to the IT department who needs to make sure the data is being stored and transmitted properly. A few hours of work (and maybe a few dollars) to evaluate your system and implement proper internal controls can pay dividends down the road.
Jacqueline Bryant is a partner in Tate & Tryon’s Outsourcing Services practice and can be reached at [email protected].