Companies of all types and sizes accept credit card payments; in fact, it’s a nearly universal business practice these days. If you intend to accept card payments and transmit that data, then compliance with Payment Card Industry Data Security Standard (PCI DDS) is absolutely mandatory.
PCI compliance ensures that your customers’ credit card data will be protected at all times, from the moment that the information enters your system. In fact, the PCI Security Standards Council outlines twelve requirements to meet a variety of security goals:
- Install and maintain a firewall to protect data.
- Create, maintain, and update your system passwords (not the ones left in place by a software vendor)
- Protect stored data via multiple layers of defense (some companies do not store cardholder data, and are exempt from this requirement)
- Encrypt transmission of data
- Use and maintain anti-virus software
- Develop and maintain secure systems and applications
- Restrict access to data within the company
- Assign a unique ID to each employee with computer access
- Restrict physical access to data, if it is stored off-site (PCI compliant data centers should include full monitoring)
- Track and monitor all access to network resources
- Regularly test security systems
- Maintain a company-wide information security policy
As you can see, PCI DSS requirements cover every point in the transaction process. The Payment Card Industry Data Security Standard was created to reduce credit card fraud through these strict controls.
Compliance with PCI standards is important to reduce the risk of liability. Any time you accept credit card payments, your customers’ data is vulnerable to theft at multiple points during the process. If your company loses data for any reason, the fallout from that loss can include lawsuits, loss of reputation, and more. Avoiding compliance with PCI DSS is simply not worth it.
Aside from the resulting public relations nightmare in the event of a data breach, the payment brands (VISA, Mastercard, etc) may impose fines between $5,000 and $100,000 per month, and your bank may terminate your relationship. While you might not hear of these penalties often (because they are rarely publicized), they can be disastrous to a smaller business.
We can help with many points on the PCI DSS protocol list. Give us a call, and we can help to ensure that you are storing and transmitting sensitive credit card data appropriately. A few simple measures can protect both your livelihood and that of your customers!