More and more small businesses are beginning to accept credit card payments from their customers both online and offline. As with any business that processes, stores, or transmits payment cardholder data, small businesses are responsible for adhering to PCI DSS standards in order to keep their customer’s card information safe. This includes implementing processes and software for properly managing cardholder data, keeping firewall and virus protection programs up-to-date and properly training employees on compliance standards. Compliance is more than just adhering to industry regulations - it also helps you earn the trust of your customers and provide different payment options to remain competitive.
What is PCI?
Payment Card Industry Compliance (or PCI for short), refers to a set of standards designed to protect cardholder information, and the exact requirements will vary depending on the size of your company and number of credit card transactions you process. A set of 12 PCI Data Security Standards (DSS) outline the specific requirements necessary for meeting compliance and should be reviewed on a regular basis. These 12 requirements can be summed into 3 separate sections:
- Assess: Regularly review your company’s IT assets and processes for managing credit card transactions for any vulnerabilities.
- Remediate: Implement policies and systems to address and manage these vulnerabilities.
- Report: Submit records and data to appropriate payment brands in order to confirm your company’s remediation.
One of the most critical steps in maintaining compliance is protecting stored cardholder data, and unfortunately, this is one area that does not always get the attention it deserves. A classic example of this is when employees receive credit card information from a customer by phone and then proceed to record the information in a spreadsheet or other unencrypted database. Even if the plan is to eventually copy this information into an encrypted database, this task often gets ignored, leaving the data vulnerable to security breaches and hackers as employees get busy dealing with other customers and tasks. Managing cardholder information in this manner violates PCI Standards, the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada, and very likely also puts you in violation of your merchant agreement. These infractions can result in fines, penalties and even the termination of your right to accept credit cards – in addition to the loss of sales and customer confidence in your company’s ability to protect their data.
In order to avoid this type of situation, managers must implement proper processes for accepting credit card information, employees must be trained on meeting PCI Compliance and any accounting software or programs used for storing card data must provide encrypted databases. Some companies may practice compliance by maintaining a secure, paper-based locked file system of account numbers – however, employees often disregard these policies during their daily routine, as it can be a time-consuming process. A better solution is to implement proper accounting software that includes completely separate, encrypted databases for storing this type of sensitive cardholder information. Implementing a proper system will require the transfer of all credit card information that your company previously stored in unencrypted fields, into a secure database. Finding a system with consultants who are knowledgeable in this area will help make the set-up and data migration process go smoothly.
Protecting sensitive cardholder data is just one important aspect of achieving full compliance with PCI DSS standards, and should be addressed and reviewed along with all other requirements on a regular basis.