It has become commonplace for consumers to purchase goods and services with debit or credit cards rather than cash. However, this convenience may not only expose consumers to potential risks, but your business as well. To help protect both your company and your customers, as well as remain compliant, it is critical that your company understands the payment card industry data security standards (PCI DSS).
PCI DSS Overview: What You Need to Know:
The PCI DSS is a set of requirements designed to ensure that all entities that process, store or transmit payment card information maintain a secure environment. The PCI DSS establishes a minimum set of requirements for protecting cardholder data. Whether you process one credit card per year or 1 million, you must follow the PCI DSS.
In addition, local laws and regulations may require specific protections for personal information or other data elements. Therefore, the PCI DSS does not supersede or replace local or regional laws, government regulations or other legal requirements.
Failure to comply with the PCI DSS could jeopardise customer relationships following a data breach. Brand loyalty and trust can be easily lost—especially when you are responsible for protecting personal data from cyber-criminals. There are 12 high-level PCI DSS requirements:
Build and Maintain a Secure Network
- Install and maintain a firewall configuration to protect data.
- Do not use supplier-supplied details for system passwords and other security parameters. Protect Cardholder Data
- Protect stored data (use encryption).
- Encrypt transmission of cardholder data and sensitive information across public networks. Maintain a Vulnerability Management Programme
- Use and regularly update anti-virus software.
- Develop and maintain secure systems and applications. Implement Strong Access-control Measures
- Restrict access to data by an individual need-to-know basis.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data. Regularly Monitor and Test Networks
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes. Maintain an Information Security Policy
- Maintain a policy that addresses information security.
For more specific information on PCI DSS compliance, click here. Please be aware that this guidance is not an adequate substitute for contacting a specialist and implementing your own PCI DSS programme standards. Experts recommend that you contact your acquirer, which is the entity that issued your payment processers, to clarify steps towards compliance. Failure to comply with the PCI DSS could jeopardise customer relationships following a data breach.
Payment Card Industry Compliance
The Benefits of Accepting Payment Cards:
If you do not currently accept payment cards, there are many benefits of allowing them. They can:
- Legitimise your business and help you build a sense of trust with customers.
- Expand your customer reach and boost revenue.
- Increase the likelihood that customers will make an impulse purchase.
- Encourage customers to make larger purchases.
- Get processed faster than money orders or checks, which may provide a boost to your cash flow.
Additional PCI Services to Consider
- Address verification service and card security service: These fraud prevention tools are installed in a payment card terminal and used to detect common types of card-not-present fraud.
- Code 10: If employees are suspicious of a cardholder, the payment card or the circumstances concerning the purchase, they can make a Code 10 call to your card authorisation centre. The operator will then guide them through a series of ‘yes’ or ‘no’ questions to help them determine the best way to navigate the situation.
- Dynamic currency conversion: This service offers holders of foreign-issued payment cards the option to be charged in their native currency at the point of sale by using up-to-date currency exchange rates, or to pay in pound sterling.
- Multi-currency: This service allows your company to accept non-sterling transactions, which is especially useful if your company intends to accept online transactions from international customers.
- Recurring transactions: Your company has the ability to set up recurring customer payments.
Potential PCI Risks
Despite the ways in which accepting payment cards can help your business, it is not risk-free. It is important to understand risks your company could encounter:
- Untrained employees: Staff should understand the rules for accepting cards—untrained staff can make mistakes and cost you money.
- Counterfeit cards: Generally, the magnetic strip on counterfeit payment cards will appear rough and not work when swiped at the terminal. Also, the shape and format of the numbers may appear incorrect. Not spotting fake cards can be costly.
- Failing to match signatures: Employees should check that the cardholder’s signature matches the one on the back of the card when necessary.
- Storing cardholder data: All cardholder data must be encrypted, stored and transferred securely. Neglecting to do so could ruin your business.
- Authorising false refunds: Fraudsters often try to obtain cash refunds for card transactions. Ensure that all staff know how to correctly make refunds, or risk being responsible for pricey chargebacks.
Mitigating Potential PCI Risks
- Provide thorough training on properly handling payment card transactions. This could include what to do if a customer or payment card seems suspicious, and the process for accepting returns.
- Review the PCI DSS requirements annually to ensure your compliance. Use the PCI DSS annual compliance checklist, which can be found here.
- Choose a payment card system password that is at least seven characters long, with both upper and lowercase letters, symbols and numbers. Reset your password at least every three months.
- Incorporate additional PCI services to adequately protect your business and your customers’ data.
The above list is not comprehensive, but it should provide your company with an idea on how you could incorporate additional risk prevention processes.