The official governing body of PCI Compliance is the PCI Security Standards Council and their website is www.pcisecuritystandards.org.  According to their website, meeting PCI DSS (Payment Card Industry Data Security Standards) "means that your business adheres to the PCI DSS requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. In operational terms, it means that you are playing your role to make sure your customers' payment card data is being kept safe throughout every transaction, and that they – and you – can have confidence that they're protected against the pain and cost of data breaches."

If you are a large business with both retail and internet sales, you probably are already familiar with PCI Compliance and why it is important...just ask Target. They had a program in place and they still had a breach. The reason I bring this up is that being PCI DSS compliant does not guarantee that you will not have a breach. It helps prevent a breach and hopefully will help reduce fines imposed by the card associations in the event you have a breach. That's right, the card associations, Visa, MasterCard and Discover for example, are the ones that impose the fines if you have a breach, not the PCI Security Standards Council. Clear as mud right?! The council is there to help you become compliant and understand compliance, not to enforce compliance.

So, what does it mean to be PCI Compliant as a small business owner? 

If you do not touch the internet:

If you do not accept cards through the internet, say you only have a standalone credit card terminal that connects through an analogue phone line, you still have to be compliant. The basics are as follows...you need to make sure your credit card terminal has regular PCI encryption updates, you need written policies regarding who can handle credit cards and process payments in your workplace, you also need a written plan for the unlikely event of a breach, you need training materials for employees to teach them how to handle credit card information and you need to make sure that if you do store customer's credit card information, that it remains in a locked area that is not easily accessible to customers or non-credit card handling employees.  The full list of requirements can be found on the PCI council's website, but these are the basics. Remember, fraud can be both external and internal.

This level of compliance requires you to either partner with a qualified PCI assessor (found on the council website) or you can self-assess by downloading the most recent SAQ B form on the council website under documents. NOTE...check with your processor first. Some processors do not allow you to self assess and require you to use their preferred vendor. This is usually because they want to profit from your compliance. My company does not profit from compliance and we allow our clients to choose whomever they want for compliance.

If you do touch the internet:

If your customer's credit card information touches the internet in any way, you will need a higher level of protection. Self-assessment is still an option, but you will have to find a qualified scanning vendor that will scan your system quarterly for vulnerabilities. Check the council website to see if your current IT or web hosting company offers this service or if they have a preferred vendor that is qualified by the council. This level of compliance is in addition to all of the requirements of the SAQ B. You need to make sure you do not have any internet vulnerabilities. This is how Target was breached, through the internet.

Many small business owners believe that they are unlikely to experience a breach. The fact is that the vast majority of breaches happen to small business owners...sad but true. With fines in the $40k range (and up) it is a good idea to take the time to make sure you are compliant. I personally believe it is worth the $40 - $125 a year cost to have a certified PCI assessor make sure that I am compliant. It is a necessary evil and a cost of doing business.

The 2013 Target Breach:

Little is known right now about the Target breach other than their system was breached.  Cyber thieves stole card data from the magnetic strips between November 27th (Black Friday) and December 15th. Over 40 million customers credit and check card information was stolen. Target has a PCI compliance program. This can happen to anyone. Target is reacting very well and has hired a forensics company to help with the breach. The Secret Service is also performing an investigation.

If you shopped at Target during this time I recommend you keep an eye on your credit report, check your credit card account and bank accounts daily and possibly even cancel the cards used and order replacements. If you notice any activity, report it to your credit card company or bank (whichever applies) immediately.

 


Comments


Your comment will be posted after it is approved.


Leave a Reply