COVID-19 Related Cybercrime and PCI Compliance: The Importance of Securing Credit Card Data
COVID-19 (Coronavirus) has caused all of us to rethink and revise the way we do business and the way we live in general. In the new environment where a majority of the workforce is working remotely, and businesses and consumers are making purchases online versus in a store, the opportunity for cybercriminals looking to phish, attack, scam and steal money or data increases.
For some businesses, accepting credit cards as a form of payment from their customers is now a necessity. Whether you are new to accepting credit cards, or it’s always been a natural part of your business, keeping cardholder data secure should be a top of mind priority. This means being PCI Compliant.
What is PCI Compliance?
The Payment Card Industry Data Security Standards (PCI DSS) is a set of regulations created by the major card brands to make transactions more secure and to protect them against identity theft and fraud.
Any merchant that wants to process, store or transmit credit card data is required to be PCI compliant, according to the PCI Compliance Security Standards Council.
There are 12 main PCI DSS requirements that all merchants must meet, regardless of their size or the number of transactions they process.
|GOALS||PCI DSS REQUIREMENTS|
|Build and Maintain a Secure Network||1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
|Protect Cardholder Data||3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
|Maintain a Vulnerability Management Program||5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
|Implement Strong Access Control Measures||7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
|Regularly Monitor and Test Networks||10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
|Maintain an Information Security Policy||12. Maintain a policy that addresses information security for employees and contractors|
Additional regulations may be required depending on the number of transactions that are processed annually, but generally, most small-to-medium sized businesses fall under Level 4 which is less than 20,000 transactions per year, and the largest merchants fall under Level 1, processing more than 6 million transactions per year.
Level 4 merchants (processing less than 20,000 transactions annually) must complete a Self-Assessment Questionnaire (SAQ) through a Qualified Security Assessor. Most often, this service is offered through a partnership with your credit card processor at a significantly reduced cost. There are many advantages to going through the processor preferred vendor.
What if I’m not PCI Compliant?
PCI Compliance is not a law; however, it is a universally required set of regulations that all card brands mandate that you follow in order to avoid financial penalties. Most processors will tack on non-compliance fees to your merchant statement for not becoming compliant.
Not being PCI Compliant could potentially open your systems to a data breach. In 2019, the average cost per data breach in the U.S. was just over $8 million*. For most small businesses that means shutting the doors. Yes, that is the extreme, however there are also additional fines from the card brands that can reach $100,000 per incident. The fine amount depends on a company’s transaction volume, the number of PCI DSS requirements violated, and other factors. And you will need to pay it until you address the issue.
Being out of compliance can also be damaging to your brand. Data breaches can take years to recover from, if you recover at all. It’s better to comply with PCI standards.
Staying Out of The Scope of PCI Compliance?
PCI Compliance is more than just the system you are using to process credit cards.
You will often hear credit card processors or software vendors say their system will keep you out of the scope of PCI Compliance. In my opinion, this is dangerously misleading. Remember, all merchants are required to be PCI Compliance. Yes, their system may be certified, it may keep cardholder data secure when it’s being used, but what’s to stop someone from writing a credit card number down on a sticky note or keeping an unencrypted spreadsheet full of credit card numbers?
To stay assured that PCI compliance is handled properly and that both yours and your customers’ data is safeguarded against potential breaches, pick a payment provider that meet all the PCI Level 1 compliance standards — the highest PCI level with the strictest requirements.
PCI DSS for merchants can be an extremely technical subject, but don’t get frustrated or give up. We are here to help. We have resources to guide you through the PCI certification process and a payment processing partner with PCI Level 1 compliance standards.
If you’re concerned or unsure about not being compliant or have questions about how to become compliant, reach out to us to setup a conversation.