Customers have a wide range of options available to them these days when it comes to how they choose to pay for items in stores. Credit cards have far surpassed cash as the preferred payment method, and your business needs to ensure that you are protecting your customers’ sensitive data. You do this through what is known as Payment Card Industry Data Security Standard (PCI DSS) compliance. Here’s what you need to know to implement PCI compliance in your retail business.
What Is PCI Compliance?
Identity theft has become a major threat, and credit card companies took notice. The PCI DSS is the result of a collaboration between American Express, Discover, JCB, MasterCard, and Visa. These major credit card companies implemented a series of standards and best practices regarding the processing of credit card payments. This serves to protect not just the credit card companies, but their customers as well.
Who Needs to Be PCI Compliant?
Any business that accepts credit card payments, no matter the size of the company or the industry it is in, must comply with the PCI guidelines. It is important to note, though, that business volume does come into play in determining the specific requirements for compliance. This is based on the number of credit card transactions processed in the previous 12 months.
Businesses that process more than 6 million transactions each year will have the most stringent requirements. As is to be expected, those companies that process fewer transactions will have more lenient guidelines. There are four tiers in total, and the goal of this tiered system is to make it easier and more affordable for smaller businesses to remain in compliance.
What Is the Penalty for Non-Compliance?
Although PCI compliance is not a legal requirement, there are still penalties for not complying with the guidelines for your particular tier. You won’t face prosecution or jail time for non-compliance, but you could be forced to pay steep penalty fees. These fines can range from $5,000 to $100,000 per month that your business does not comply.
For larger companies, these fines may not seem like such a big deal. However, for a smaller business, a fine could mean the end of the business. Even though you are not legally bound by the PCI requirements, it is still in your best interest to follow the best practices to avoid paying these costly fines, not to mention the potential hit to your company’s reputation.
What Are the Requirements for Compliance?
The first step is to catalog and diagram your data environment. This includes things like networks, routers, computers, point-of-sale systems and other connected electronics. You’ll need to include any devices that interact with your customers’ credit card data. The diagram should demonstrate how that data flows through your system to ensure that all pathways are protected.
Once you have a firm understanding of how your data system works, you can then establish policies and procedures to maintain control over that data. You’ll need to install firewalls and encryption processes to protect the data throughout all phases of your system. The PCI DSS outlines the specific methods that are approved for this purpose.
Your policies also need to include language explaining the need for updating software and hardware passwords and configurations. The default settings tend not to be secure enough, making it easy for hackers and other data thieves to gain access to your system. You should always update the passwords and settings as soon as you install new equipment or software.
Finally, you’ll need to monitor your protocols on an ongoing basis. As thieves become more sophisticated, your system needs to as well. Watch out for any potential vulnerabilities in your system so that you can address them as quickly as possible. Thieves look for any potential access point, so time is of the essence in this case.
How Can You Monitor Your Compliance?
PCI DSS compliance can be a bit complicated, especially if you are unfamiliar with the task. Compliance management software can help you stay on top of any changes to the security requirements so that you can update your system right away. This software can analyze your system to detect any areas of non-compliance that you might have missed.
You’ll have access to reports and critical warnings in real time, making it easy to maintain your compliance over time. The faster you can respond to any threats and vulnerabilities, the less likely it will be that your business will be in the next data hack headline.
You’ll be able to store past reports to help in the event of a compliance audit. The more data you are able to provide about your efforts to remain in compliance, the easier it will be to get through the audit without having to pay a non-compliance fine.
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity’s success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT. Learn more at ReciprocityLabs.com.