Pay Now or Pay Later: PCI
Among all of the issues and decisions business owners face every day, dealing with credit card security is usually not at the top of the list. It should be. The risks associated with ignoring card association rules and regulations can range from loss of reputation to financial ruin.
According to the Open Security Foundation's DataLossDB website, more than 127 million personal information records were exposed in 2007 during more than 400 data breach incidents. While the majority of those incidents did not include cardholder data, statistics indicate cardholder data breaches are on the rise. And fraudsters are increasingly targeting small and medium businesses to gather cardholder information.
In response to the growing threat, the major card associations joined to create the Payment Card Industry Data Security Standard (PCI DSS), a robust set of protective measures that includes requirements for security management, policies, network setup and software design. Anyone that stores, processes or transmits cardholder data, from large companies to small businesses and nonprofits, must comply with PCI DSS. The PCI DSS is maintained by the PCI Security Standards Council (PCI SSC).
Compliance validation requirements vary according to a businesses' transaction volumes. Larger businesses (Level 1 and 2 businesses with more than 1,000,000 transactions and Level 3 businesses with 20,000 to 1,000,000 e-commerce transactions) have more requirements. For example, these businesses must file compliance reports, complete compliance questionnaires and system scans or undergo on-site assessments and receive validation of their PCI DSS status from a Qualified Security Assessor (QSA), or utilize a certified Internal Security Assessor (ISA).
Level 4 businesses (those with fewer than 1,000,000 transactions) are required to be compliant with the PCI DSS. Validation requirements are managed by each acquirer. Validation may be required because a business must prove its systems were PCI DSS compliant if they experience a breach. The may also face hefty fines, potential litigation and other punitive measures if the business is found to be non-compliant.
Proving PCI DSS compliance after a breach can be costly. Requirements can include a forensic audit by an approved auditor. These audits determine what happened and how bad the breach is, and can cost up to $20,000.
For Level 4 businesses unsure of their PCI DSS status, the first step is to find out if you are using compliant third-party service providers, payment applications and PIN Entry Device (PED) compliant devices. You should also make sure your processor/acquirer is PCI DSS compliant. Visa keeps a complete list of validated service providers, payment application software and hardware on its website at www.visa.com/cisp.
Qualified Security Assessors are available to help those business owners who may be technology challenged. QSAs provide on-demand data security and PCI compliance solutions to help merchants determine if they are compliant, and, if not, to determine what is needed to achieve compliance. The PCI SSC keeps a list of all qualified QSAs on its website at www.pcisecuritystandards.org.
As stewards of the industry, it is up to all of us — processors, acquirers, issuers and businesses — to ensure cardholder data is secure through every step of the transaction process. Failure to do so reflects badly on us all, and can lead to cardholder mistrust, litigation, fines, and for some, bankruptcy and the loss of their business.