It's in the merchant's best interest to maintain being PCI Compliant in order to reduce risk of a data breach which may lead to the compromise of sensitive cardholder information. We'll explain basic concepts of PCI and why being PCI compliant in day-to-day operations is important for a business' protection.
The Risks Involved If the You Are Not PCI Compliant.
Merchants that do not comply with PCI DSS may be subject to fines, card replacement costs, costly forensic audits, brand damage, etc., should a breach event occur. For a little upfront effort and cost to comply with PCI, you greatly help reduce your risk from facing these extremely unpleasant and costly consequences.
To Become PCI Compliant
You would have to complete Self-Assessment Questionnaire (SAQ). SAQ consists of 60-100 questions that will help you understand correct PCI processes on intuitive level. For example:
“Are hardcopy materials cross-cut shredded, incinerated, or pulped so that cardholder data cannot be reconstructed?”
At its core, this question tells you how hardcopy materials are supposed to be disposed of in a PCI compliant way. Each question provides clarification and guidance as well as helps create internal processes for merchant’s employees.
You would also need to complete vulnerability scans every 4 months along with completing the SAQ. Pivotal Payments’ Online Interactive portal partners up with qualified security assessors that were approved by the card associations to run these scans. The Qualified Security Assessor (QSA) runs the scan and detects any possible ports of intrusion, and creates a report on compliance. All this is done in order to safeguard against data breaches that could expose sensitive information.
Basic Recommendations on How to Maintain Your Business PCI Compliant
PCI Security Standards Council has a few valid suggestions on their website. They summarized it pretty well.
- Create a culture of awareness and educate employees on a continuous basis. This is an easy to implement solution that is also critical to the business’s security well-being. Each person who interacts with sensitive data or the systems that handle it must be educated on the common tactics hackers use to steal information. In addition, it’s crucial that each employee understands the role they play in the business’s data chain.
- Designate a PCI champion. Even if your business doesn’t have a dedicated IT group, it will benefit from someone being formally assigned the role of understanding and monitoring basic security functions. This assignment carries with it the responsibility to keep business systems current with the latest patches and updates, as well as to consider the security impacts of website and physical POS changes.
- Avoid storing payment information whenever and wherever possible. Whether accepting customer payments over the phone, by fax, in person or online, it is always a best practice to immediately process that information and purge any remnants such as paper copies. Businesses that store payment information, either in hardcopy or electronic form, are putting themselves at a much more significant risk for breach. Encryption and tokenization solutions should also be employed to maintain the security of data in motion and at rest.
Many breaches are preventable; they still tend to be unsophisticated and can be repelled with strong, basic defenses. Start with vulnerability scanning, but think about adding network penetration testing as soon as possible. If you have developed Web applications this is even more critical.