Handing your credit card to a cashier, repeating your credit card information over the phone to a customer service representative, or entering your information online ... these moments require your trust and confidence that any charges arising from the transaction will be legitimate. Correspondingly, as a merchant, you have a duty to ensure that consumers' credit cards will be charged correctly and that their account information will remain safe and secure from any unauthorized access. One important protective bulwark in credit card security is the payment card industry's (PCI) data security standards (DSS).
All businesses that store, process or transmit payment cardholder data from Visa, MasterCard, Discover, American Express and JCB (a Japanese credit card issuer) must be PCI-compliant. These standards, which also cover the use of debit cards, are administered by an independent PCI body called the Security Standards Council (SSC). Although this is not a government entity, the SSC has the power to levy fines of up to $100,000 on banks that accept non-compliant PCI DSS payments. Those financial institutions will almost always pass the fines along to the merchant at fault ... as provided by their merchant account agreements. Also, at the financial services providers' discretion, other penalties may include card-replacement costs, and costly forensic audits. Plus, if a breach actually occurs, the merchant will suffer damage to the company brand from the resulting bad publicity... along with any further penalties or breach remediation costs.
What's important to understand is that PCI DSS and penalties for noncompliance are in place to prevent security breaches, meaning that a merchant could be at risk of a fine even if there are no customers who actually have their credit card information compromised. Simply putting cardholder data at risk constitutes a violation. Rules require merchants to make sure it's impossible for unauthorized parties to acquire a full credit card account number along with any of the following: cardholder name, expiration date or service code. Additionally, such security elements as magnetic stripe data and PINs must also be protected.
One critical security measure required for PCI DSS compliance is a 'vulnerability scan' that checks merchant payment systems for weaknesses which could be exploited by hackers or criminals. Vulnerability scans employ an automated tool that remotely reviews networks and Web applications based on external-facing IP addresses as provided by the merchant or service provider. These scans must be performed every 90 days by a PCI SSC-approved vendor.
The proper attitude here, however, should not be to wait for a vulnerability scan to identify a risk to financial data, but to make sure that vulnerabilities never exist. A good analogy would be that of a man walking into an important meeting with his zipper unzipped. While he would appreciate being told right away about his 'wardrobe malfunction,' he most certainly would rather avoid that embarrassment altogether.
It's always the large companies (i.e. Target, Neiman Marcus ... etc.) that make the headlines when consumers' credit card information gets compromised, but small businesses may in fact be more attractive as hacker targets. The simple fact is that small businesses often lack the IT resources, infrastructure or operational experience of large enterprises in regard to keeping their customers' credit card information secure.
Companies that subscribe to The SynchroNet Way can request our assistance to achieve (and maintain) PCI DSS compliance. We are ready and able to act as your 'PCI Champion' in understanding and monitoring IT security functions, and we can help you establish a safe and secure transmission and storage architecture for your customers' payment card information.