A customer makes a purchase by telephone or shops online and pays by credit card. You pride yourself on your customer service, and one way to enhance that, it occurs to you, would be to store that credit card information so the customer could have faster checkout next time around. Great idea. But don’t do it, unless you learn and follow the guidelines set out in the Payment Card Industry Data Security Standard (PCI DSS). As a small business you may not have the wherewithal to encrypt the data as you should.
If you store, transmit or process customers’ data, your company bears responsibility for that data. If you don’t need sensitive data, don’t store it. That’s the basic rule. But if you do, you must fill out a self-assessment questionnaire (SAQ) to evaluate compliance. The acquiring bank (the bank or financial institution that processes your credit card transactions) and the credit card brands oversee compliance.
“A gateway payment system is only one component of a chain that connects you to your bank, the bank to the payment network, and the payment network to the customer’s bank,” stated Bob Russo, general manager of the PCI Security Standards Council in an email. “There are many different components of your business that may be connected to this chain. If you are physically handling and swiping a card, there are requirements that define how this may be done securely. There are also requirements that address how the swiped data is interpreted by the point-of-sale software and then transmitted. PCI security is difficult to completely outsource.”
Compliance with the PCI standard may keep your data from being breached by hackers. Verizon compiles an annual report on data breaches. In its 2012 analysis, Verizon found that 96 percent of data theft victims that were subject to PCI DSS had not achieved compliance. “In many cases these organizations have either failed to perform their (self) assessments or failed to meet one or more of the requirements,” the report stated.
Theft of payment card details, a form of identity theft, is a crime of opportunity, and small companies are getting the lion’s share of attacks. Based on 720 data breaches in 2011 where the business size was known, a full 79 percent occurred in organizations with between 11 and 100 employees.
Keeping the POS systems safe from hackers means changing the admin passwords frequently, implementing a firewall on remote access and following strong data access control measures. The Verizon report hypothesizes that not infrequently a merchant achieves compliance once and then fails to keep up with the security requirements. “Due to the point-in-time nature of PCI assessments, it is possible that an organization deemed compliant at its last audit may not still be compliant at the time of the breach,” the report stated.
Poor password practices make your company an easy target. Security consultants from nCircle reported in a White Paper called “Defending Your Small Business Against Cyber Crime” that at eight out of 10 small and medium businesses; employees do not change passwords frequently. That applies also to passwords that open up your retail business to attack. In the Verizon report 44 percent of the breaches involved the use of default or guessable passwords.
The impact of a breach can be severe. A court case being fought in the Third District Court in Utah demonstrates the types of fines that can be imposed. The credit card companies, Visa and MasterCard, determined that Cisero’s Ristorante of Park City was guilty of storing unencrypted card data and that this violation had led to a security breach. Fines, which can be as high as $100,000 from a card company, amounted to $55,000 from Visa and $15,000 from MasterCard. However, MasterCard later added about $75,000 to the fine when card issuers RBS Citizens and Chase claimed they had suffered losses when fraudulent charges were made on the cards of some of these banks’ customers, whose accounts were purportedly exposed via Cisero’s POS with its unencrypted customer account numbers. The basis of the fines: The restaurant’s POS system was not in compliance with the Payment Card Industry (PCI) Data Security Standard (DSS) at the time of the alleged data thefts.
Only four pieces of payment card data should ever be stored. The personal account number (PAN), expiration date, cardholder name and service code (three-digit or four-digit value in the magnetic-stripe that follows the expiration date of the payment card on the track data. It is used for various things such as defining service attributes, differentiating between international and national interchange, or identifying usage restrictions).
PCI compliance should not be left up to your IT department or to a third party that processes your payment cards. “Every part of an organization should be aware of the need to secure payment card transactions.” That means everyone from “the clerk at the register handling cards up to the CEO and Board of Directors who would have to deal with the potential cost of investigating and mitigating a data breach once it has occurred,” Russo stated.
Former President Harry S. Truman kept a sign on his desk that reminded him: The buck stops here. Same rule holds in small businesses: The buck stops with you, the owner. The PCI Security Standards Council states on its website that “PCI compliance is a business issue” best addressed by a team that includes not just IT but also representatives from many other parts of the organization. “The risks of [data] compromise are financial and reputational, so they affect the whole organization. Be sure your business addresses policies and procedures as they apply to the entire card payment acceptance and processing workflow.”
So what’s the easy solution? Call Newtek, The Small Business Authority for the industry’s most effective and affordable data security solutions – for your customers and your business.