Equifax recently experienced a data breach that impacted an estimated 143 million people. If it can happen to Equifax, it can happen to any business. If you accept credit cards for payment by customers and clients, are you protected from data breaches? According to the Verizon 2017 Payment Security Report (you have to give your name, email, and company in order to download it), businesses that experienced breaches weren’t fully compliant with suggested security protocols (explained later).
Why payment security matters to you
According to the Verizon report, trust is what matters, and 66% of customers say they’d be unlikely to do business with an organization that experienced a data breach exposing financial and sensitive information.
Perhaps even worse than the loss of trust, which can diminish business revenues, is the financial cost of addressing a data breach. This includes informing customers whose information may have been hacked and usually providing them with assistance (such as credit monitoring). If you fail to follow legal requirements on notice, you can be subject to severe governmental penalties. The National Conference on State Legislatives has a state-by-state list on security breach notification laws. At present there is no federal law addressing required notification by merchants for cardholder data breaches, but there’s a bill now pending.
All organizations, including payment service providers, merchant processors, online merchants, and face-to-face merchants, that store, process, or transmit payment card data are mandated by VISA, MasterCard, Discover, American Express, and other payment brands to comply with PCI DSS Standards. These are standards created by the PCI Security Standards Council, which was founded in 2006 by American Express, Discover, JCB International, MasterCard, and Visa. Of the payment card data breaches that Verizon investigated between 2010 and 2016, not a single company was fully PCI DSS compliant.
There are 12 key requirements (some are technical while others are basic business practices):
|Goals||PCI DSS Requirements|
|Build and maintain a secure network and systems||1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
|Protect cardholder data||3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
|Maintain a vulnerability management program||5. Protect all systems against malware and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
|Implement strong access control measures||7. Restrict access to cardholder data by business need to know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
|Regularly monitor and test networks||10. Track and monitor all access to network resources and cardholder data
11. Regularly test security system and processes
|Maintain an information security policy||12. Maintain a policy that addresses information security for all personnel.|
Source: PCI Security Council
How to become compliant
If you are concerned about payment card security for your business, review your current security measures.
- Do a self-assessment of your cardholder data using PCI’s Self-Assessment Questionnaire.
- Talk with your IT person. Hopefully, the person is versed in PCI DSS. If not, they should be able to refer you to someone who is. As an aside, my IT person told me that it’s easier for small businesses to be compliant because the tech stuff is easy to handle and the non-tech stuff (e.g., limiting personnel who can access computers) is better controlled in small companies).
- Work with your credit card processor. Your bank or other credit card processor is your active partner on PSI DSS compliance, and should be an excellent resource to assist you in becoming and maintaining compliance.
- Work with a national PCI DSS expert. Once this expert certifies that you’re compliant, the costs of dealing with a data breach will be far less than if you were noncompliant.
Carrying cyber liability coverage may not be a substitute for being PSI DSS compliant. In light of one federal case involving P.F. Chang, it seems that this coverage only extends for data breaches where the policy explicitly references it; otherwise it’s excluded. Take the initiative and learn about PSI DSS compliance with this helpful guide.
This article was prepared with the assistance of Jim Higgins, president of the payment consulting firm of Jim Higgins & Associates, Inc.