One of the standards that is often misunderstood is the Payment Card Industry’s Data Security Standard (PCI DSS). It encompasses the data protection protocols put into place by the major credit card issuers.
Smaller companies may feel they don’t process enough transactions to worry about it and others might think the 3rdparty payment processor they work with has the compliance requirement, not them. But both in both cases, they’d be wrong.
PCI DSS applies to “all entities that store, process, and/or transmit cardholder data.” So, even if you’re a small firm processing just a few credit card transactions a month, the regulation still applies to you. And if you have any part in storing, processing, or transmitting credit card information, for instance if you take credit card details over the phone or at your office to input into a 3rdparty merchant application, you still must be in PCI compliance yourself.
Through our Managed Security Services, Connect2Geek works with accounting and tax professionals in Nampa and the surrounding area to ensure solid network security and compliance with regulations such as PCI. We also try to clear up misconceptions about the standard so our clients can feel secure in understanding and meeting PCI compliance requirements.
We’ll go through the key requirements of PCI compliance below as well as discuss some of the penalties if a business is cited for non-compliance with this security standard.
PCI Compliance Requirements & Penalties Overview
It’s not uncommon for tax and accounting firms to accept credit or debit card payments from their clients. Some may even handle automated recurring payments for clients they work with regularly. You may even get asked yourself for advice on PCI compliance from a client that also receives card payments.
Knowing what’s required by the PCI Security Standards Council, the entity that oversees PCI compliance, is vital to ensuring you don’t get hit with a penalty or a major data breach.
PCI in a Nutshell
PCI is a set of security standards put into place by major credit card issuers (American Express, Discover, JCB International, MasterCard, Visa) to protect cardholder data from being breached or stolen.
The protocols within the PCI Data Security Standard include both technological and physical security to ensure cardholder information isn’t exposed or misused. Some of the standards requirements include:
- Using only approved PIN entry devices for Points of Sale (POS)
- Not storing sensitive cardholder data in computers or on paper
- Using a firewall on your network and computers
- Ensuring a wireless router is password protected
- Use of strong passwords
- Employee training
- Completing a Self-Assessment Questionnaire
PCI Penalties and Fines
The penalties for data breaches where it was found an organization was not in compliance with PCI can be stiff. Besides the cost of the data breach itself PCI penalties can include:
- Fines of $5,000 – $10,000 per month until compliance issues are addressed
- Potential of having merchant account closed by processor
- Increased audit requirements
What Things Should You Do to Meet PCI DSS Compliance?
Here is an overview of things you can do to comply with the PCI standard for protecting credit and debit card data.
Protect Stored Credit/Debit Card Data
Use encryption wherever cardholder data is stored and whenever it’s transmitted. Crafting a flow diagram from the time card data is received until it’s no longer needed and disposed of is a good way to address security throughout the entire process.
Use a Firewall
Protecting your network and devices with a firewall that monitors for any data breach threats and can stop hackers before they can gain access to your data helps protect sensitive credit card and company information.
Between 2015 and 2018 data breaches in the financial sector increased over 90%. (Statista)
Keep Systems Updated & Patched
It’s vital to proper cybersecurity to keep your software, firmware, and operating systems updated on computers, servers, and any credit card point of sale tools. Establishing an automated system to do this or contracting with a managed ITservices provider in Nampa is the best way to ensure security patches and updates are applied right away.
Control Sensitive Data Access
Controlling who has access to sensitive cardholder information helps to ensure tighter security. Some of the ways to do this include:
- Use of strong passwords
- Permission-based controls on databases and applications
- Use of multi-factor authentication for logins
- Documenting who has access to cardholder data
- Use unique login credentials for all employees
Ensure Physical Security
Beyond securing your technology, you also need to ensure your premises is secure from break ins that can expose credit card data. You also want to keep track of any POS terminals to make sure they’ll all accounted for. Don’t forget to include any mobile devices that may use POS applications.
Implement Regular Employee Training
It’s important that your employees understand the proper security protocols to follow when handling credit card transactions and cybersecurity as a whole. Training them about phishing attacks and how to avoid them can significantly increase your cybersecurity and PCI compliance.
Documentation & Risk Assessments
Implementing logging procedures and alerts for any security issues helps you stay out ahead of any potential data breaches. Risk assessments and penetration tests can help you put together an incident response plan and be aware of any security vulnerabilities before a hacker exploits them.
Need Help with PCI & Data Security Compliance?
Connect2Geek has a team of experts that fully understand what’s required of firms to stay compliant with PCI DSS and other data security standards and regulations.
Contact us today for a free security consultation. You can book an appointment online or call us at 208-468-4323.