PCI DSS: what is it and why it matters to you

Key to the success of any business is accepting payments for goods and services. That said, however you trade, whatever your business might be, every credit or debit card transaction you process involves sensitive cardholder information that has to be stored and transmitted securely. With this in mind card schemes, such as Visa and MasterCard, insist you comply with the Payment Card Industry Data Security Standard (PCI DSS) to make sure both your business and customers are protected from the ever-present threat of card fraud.

What is PCI DSS compliance?

In short, PCI DSS represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information for merchants no matter what their size.

The objective of becoming compliant with PCI security standards is to help protect sensitive cardholder data from data thieves who are shifting their sights to small merchants because they think they are easier targets. If your business is not PCI compliant, you could be putting your business at greater risk from the growing threat of payment card data breaches and theft, which may result in substantial penalties (such as fines from banks, regulatory agencies, and card organisations), fraud and chargebacks, as well as legal costs and lost customers.

Sensitive cardholder data can be anything held within the magnetic stripe or chip to the numerical details printed on the card, for example the Primary Account Number (PAN), which can enable a fraudster to impersonate the cardholder. Key to PCI DSS compliance is securing where this cardholder information can be stolen from, for example a compromised card reader, paper stored in a filing cabinet, a weak database or even a secret tap into your wireless network. Small businesses in particular are prime targets for fraudsters as they are often perceived as having less sophisticated systems in place.

Why should I become compliant?

It is paramount to note that it’s the responsibility of the business owner to ensure that card holder information is thoroughly protected. If card holder data is stolen, and you haven’t shown yourself to be PCI DSS compliant, you could face a number of consequences, such as:

  • losing the ability to accept card payments,
  • fines and penalties,
  • loss of confidence from customer base
  • higher subsequent costs of compliance

…all of which could ultimately lead to going out of business

Where do I start?

While PCI DSS compliance sounds daunting it needn’t be hard work. That said it is important to understand that the process is ongoing, rather than a one-off tick-the-box exercise, as your business will likely change over time and there is a continual need to stay ahead of evolving fraudsters.

To comply with PCI DSS your business must meet 12 specific requirements which include security management, procedures, network architecture and software design. The requirements are dependent on how your business accepts payments, but an example would be to prove you have implemented and maintained a secure network that is regularly tested.

To assess and prove you meet the 12 requirements, and in turn achieve compliance, most merchants can fill in a self-assessment form which is available from the PCI Security Standards Council website. The self-assessment form you fill in depends on the type of payments you accept, for example, a merchant who accepts payments over the internet will answer a different set of questions to one who accepts in store payments. Many merchants prefer to use an online PCI tool offered by a merchant acquirer as they may find the PCI DSS compliance process to be an overwhelming task to deal with.” PCI online tools are generally designed to provide a digestible, non-jargon-filled, step by step programme to guide merchants through self-assessment and supply information to help merchants become, and remain, compliant.

Helpful hints

Below are some tips to help get you started:

  • Make sure your employees understand the importance of protecting cardholder information and the consequences to your business of not doing so
  • For both face-to-face and online transactions only use authorised point of sale terminals and payment software. If you are unsure, check the PCI Security Standards website for an approved list
  • It might sound obvious, but do not write or store any sensitive cardholder information on computers or paper
  • Make sure your PCs and wireless networks are firewalled, password protected and encrypted
  • Regularly check your point of sale devices and PCs for skimming devices or rogue software

Connect with us.