Are You PCI DSS Compliant?
Credit card transactions happen millions of times per day. As businessowners, you and your employees handle credit cards on a daily basis, but do you know if you’re handling them securely? Payment information in the wrong hands is a truly scary situation. Unfortunately, hackers and identity thieves have gotten really good at stealing this information. This fact puts a lot of pressure on you as the businessowner. You don’t want to end up as front-page news, because your customers’ payment information was stolen — not exactly good for public relations.
So how do you know that the credit cards you are swiping at your business are going to be secure? How do you know that you are compliant with Payment Card Industry Data Security Standards (PCI DSS) standards? What are PCI DSS standards?
“I remember, about 10 years ago, you would swipe your credit card, and it didn’t matter where you were conducting business, your full credit card number and the expiration date were on your receipt,” said David Nathans, Information Security consultant in Bedminster, New Jersey. “Obviously, it can become difficult to keep track of your receipts, which means it’s also very easy to pick up receipts and have all the payment information you need to purchase items with someone else’s money. For this reason, in large part, PCI was born.”
The PCI Standards Security Council is an open global forum, launched in 2006, that is responsible for the development, management and awareness of the PCI Security Standards, including the Data Security Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS) and PIN Transaction Security (PTS) requirements.
All payment processors that are PCI-compliant are listed on the organization’s website: www.pcisecuritystandards.org
“One of the first things that operators should do when researching a payment processor for their business is look them up on the PCI website,” said John South, chief security officer for Heartland Payment Systems. “If a vendor is highlighted in green, it means they are validated for the year, because validation is annual. If they are highlighted in yellow, it means their validation has expired and is pending on renewal, and if they are highlighted in red, they are no longer validated as PCI-compliant. This is an easy way to assure yourself that the company you choose is going to be serious about security.”
The amount of hoops you have to jump through to be PCI-compliant depends on several factors.
“Three things dictate how you will have to comply with PCI security standards: your business, card companies such as Visa and MasterCard, and the bank your payments are going through, i.e., your payment processor,” Nathans said.
Compliance levels differ based on transaction amounts, as well.
“If you process six million credit cards a year, you must have an outside company come and audit your business; however, if you are a small business doing less than 200,000 transactions a year, with just one credit card company, then the requirements for compliance are minimal.”
Other variables can factor in, as well, such as your credit card machine. If it is separate from your cash register, compliance requirements are less intense. If your credit card machine is connected to your cash register, and thus, your point-of-sale system, there will be more requirements for your entire computer system.