When data breaches hit large retailers, such as Target, we hear about it. Smaller businesses can have even more challenges when it comes to data security. As a retailer, it’s likely you accept credit cards as payment, and you can be susceptible to events that put customer information at risk. Consumers have become increasingly aware that breaches happen, and concerns about their data security can impact purchasing decisions.
To combat data breaches, the Payment Card Industry Data Security Standard (PCI DSS) developed a set of guidelines to help protect sensitive consumer data (via the PCI Security Standards Council) in 2006. Just more than 25 percent of companies are fully PCI compliant, following a decline in recent years, according to a Verizon 2020 Payment Security Report.
Not following PCI standards can come at a cost, not the least of which is losing customers. According to the Verizon report, 69 percent of consumers surveyed said they wouldn’t go back to a retail store after a data breach. FLD
6 Steps to Ensure PCI Compliance
Many businesses aren’t even sure if they’re maintaining PCI compliance, according to fitsmallbusiness.com. A cybercriminal can exploit vulnerabilities in websites, firewalls and insecure remote access to acquire valuable credit card data. If you’re using the cloud, you can be even more vulnerable. Following are six steps you can take toward protecting your customer data.
1. Check Out Your Payment Technology
While cloud users might be more susceptible, the advantages of running your business using the cloud outweighs the risks. When choosing a payment gateway, make sure it is PCI compliant. Look for the ability to create dedicated user accounts and logins. Only the people who need access should be able to acquire consumer data, and you should be able to track who sees what. Two-factor authentication and point-to-point encryption are other good security features. Be sure to install all of your payment gateway’s patches and updates as they become available to avoid the risk of vulnerability. Nearly half of all businesses don’t change the vendor default settings, says the Verizon report.
2. Have Formal Processes in Place
According to PWC, approximately 37 percent of businesses that have a formal process to evaluate data involve their data privacy team. Your people responsible for ensuring data protection — even if that’s just you — should create processes for the rest of the business as well.
3. Complete the PCI Compliance Attestation
The Attestation of Compliance (AoC) is a document in which you (if you’re self-auditing), or a qualified security assessor (QSA) declares your business’ compliance level. The form should be completed, signed and submitted along with the self-assessment questionnaire (SAQ) and the approved scanning vendor (ASV) scan results. Businesses are expected to submit an AoC annually.
The PCI compliance requirement questions you’ll answer on these documents will cover: maintaining firewalls for business devices; changing vendor-supplied passwords; encrypting transmissions of consumer data; using updated antivirus software; protecting stored consumer data; restricting consumer data access; maintaining secure systems and apps; making cardholder data available only on a need-to-know basis; creating a unique ID for everyone with business computer access; monitoring access to network and consumer data; testing data security regularly; and maintaining a data security policy. If you use a third-party payment processor, most of these PCI compliance requirements are met. You also need to meet environmental PCI compliance, which includes firewalls, strong passwords and restricting access to cardholder data.
4. Prove PCI Compliance
You may have to pay for and schedule regular vulnerability scans with an ASV, who will determine the safety of consumer data you collect at checkout.
An external vulnerability scan assesses your network’s security, looking for vulnerabilities in your firewalls, while an internal scan, which you can do, looks for holes in your firewalls.
5. Submit Your PCI Compliance Documentation
Send the required documents to the PCI DSS council, including a completed SAQ and proof of passing quarterly external scans. You can also hire a QSA, who can organize and submit for you.
6. Track and Test Your Systems
Data security and PCI compliance aren’t something you do just once. Make it a priority to test your security measures often. The PCI compliance requirements are straightforward, and it isn’t nearly as costly as non-compliance, which can come with monthly fees, fines if there is a breach, and loss of consumer trust.