The credit card has long been the payment method of choice due to its convenience, its portability and its universality. However, the prevalence of plastic has also created a window of access to cardholders’ data, which has resulted in a spike of identity theft and fraud offenses over recent decades. Many merchants remain unaware of the fact that the magnetic strip on the back of every credit and debit card contains such information as the cardholder’s name, billing address, and all other account numbers, expirations dates and security codes necessary to authorize purchases, and all of this information is stored in the merchant’s database, which without the proper security safeguards can easily fall into the hands of hackers. Therefore, it is necessary that merchants remain aware of the necessary security protocol needed to protect their customers’ confidential information.
In the fall of 2006, major credit card companies joined forces in hopes of configuring a streamlined set of security standards that, when utilized by merchants, would seal off any remaining access to unauthorized data. The outcome is the PCI DSS (Payment Card Industry Data Security Standard), a set of regulations intended to be followed by any and every merchant responsible for the processing, storing and/or exchanging of credit card data. When complied with, the Data Security Standard ensures the protection of all customer information throughout the transaction process and following the completed transaction.
VR Interactive is recommending that all of our clients review their credit card systems and consider the value of becoming PCI compliant. Read on to learn about the benefits of implementing this program with your own company.
- Why should my business become PCI Compliant?
- What are the PCI Regulations?
- What kind of expenses are associated with PCI compliancy?
- How important is it that small merchants comply?
- Want to learn more?
Why should my business become PCI Compliant?
These data security standards were devised to help merchants, no matter their size or volume of credit card transactions, avoid credit card fraud through improved regulation of information and its vulnerability to threat. Compliance with the PCI standard ensures that companies are yielding the strictest information security available for their customers’ protection. Following these guidelines guarantees that the merchant will avoid the high costs associated with credit card fraud and data violation, and will preserve the right to process credit card payments. Any merchant that chooses not to follow these regulations runs the high risk of accumulating fines associated with security breach and of losing the privilege to process credit card payments.
What are the PCI Regulations?
The PCI has specified twelve requirements necessary for complete compliance, they are organized into six categories:
|Build and Maintain a Secure Network|
|1. Install and maintain a firewall configuration to protect cardholder data|
|2. Do not use vendor-supplied defaults for system passwords and other security parameters|
|Protect Cardholder Data|
|3. Protect stored cardholder data|
|4. Encrypt transmission of cardholder data across open, public networks|
|Maintain a Vulnerability Management Program|
|5. Use and regularly update anti-virus software on all systems commonly affected by malware|
|6. Develop and maintain secure systems and applications|
|Implementing Strong Access Control Measures|
|7. Restrict access to cardholder data by business need-to-know|
|8. Assign a unique ID to each person with computer access|
|9. Restrict physical access to cardholder data|
|Regularly Monitor and Test Networks|
|10. Track and monitor all access to network resources and cardholder data|
|11. Regularly test security systems and processes|
|Maintain and Information Security Policy|
|12. Maintain a policy that addresses information security|
What kind of expenses are associated with PCI Compliancy?
A recent study broke down the costs of becoming PCI compliant into three major categories: Upgrading Infrastructure, Verifying Compliance and Sustaining Compliance. The first cost relies heavily on the merchant’s existing infrastructure. While larger companies often already possess much of the necessary software, smaller merchants may find themselves lacking when deciding to become compliant. Therefore the process of purchasing the needed software and employing an IT professional to install and maintain these overtime, can be costly. The other expenses, which may not seem evident from the get-go, are those that arise not only from the security assessments required by the PCI Security Standards Council, but also from the maintenance of the standards, which are a key step to guaranteeing PCI Compliance. It is important to note that although the cost of becoming PCI compliant may appear rather high, the cost of non-compliance can easily be twenty times that of complying. For further detail on the costs associated with becoming PCI Compliance, be sure to read PCI Compliance Analysis: A Justified Expense by Solidcore Systems
How important is it that small merchants comply?
According to the PCI Security Standard Council, it is necessary that every merchant, no matter its size, comply with the PCI standard. Oftentimes it is the smaller merchants who fall prey to information hacking. According to Visa USA Inc, as of 2005, over 80% of the cases of illegal access to credit card information have been connected to smaller companies who remain unaware of the importance of and regulations required to truly secure credit card information. In spite of these facts, another Visa survey, which interviewed 600 merchants with less than 250 employees discovered that “52% of them were storing sensitive customer information”. Therefore it is crucial that all merchants comply with these standards in order to avoid not only the extreme costs associated with facilitating unauthorized access to data, but the ultimate possibility of being put out of business.
Want to learn more?
- PCI Security Standards Council: About the PCI Data Security Standard
- PCI Compliance Guide: FAQs and Myths
- Wikipedia: Payment Card Industry Data Security Standards
- PCI Cost Analysis Report: A Justified Expense
- Q&A: Head of PCI council sees security standard as solid, despite breaches
- In Data Leaks, Culprits Often Are Mom, Pop : Credit-Card Industry Tries to Add Safeguards, Honest Errors Common