The constant threat of credit card theft has prompted the major credit card companies (MasterCard, Visa, Discover, American Express, and JCB) to create a security standard for all businesses that accept credit cards. It’s known as PCI DSS (Payment Card Industry Data Security Standard), or PCI for short. PCI addresses the way that credit card data gets handled in an organization, focusing on how data is gathered and transmitted to protect consumers from theft. Businesses of all sizes, regardless of whether they use high-risk merchant account processing services, must be PCI compliant to accept credit cards.
Image via Flickr by Don Hankins
Many people think that theft of credit card data occurs when hackers get into data banks or pull information from unprotected Wi-Fi streams. Although such situations do occur, information also gets stolen due to the overlooked human element. Employees and employers who treat card information in a careless manner can create a lack of security in businesses. In turn, this carelessness generates an opportunity for theft-minded employees to take advantage of the situation.
Another problem that businesses create for themselves is that of insecure data networks. While not everyone can lay claim to being an expert in IT security, everyone can learn the basics of data security. Many businesses have made the move to using Wi-Fi networks in their facilities to avoid costly cabling. Sending data through Wi-Fi requires safety measures that are often overlooked. Sometimes the security gets turned off during the initial setup and never gets re-enabled. What this means is that anyone who has a data sniffer and collector can get the information and use it for his or her purposes.
In the same vein, weak passwords are also a vulnerability. While no one likes to create passwords that use various symbols, numbers, and letters, this is often considered the most secure type of password. People write passwords down because they’re complicated even though shouldn’t leave this information lying around. Password safes can lock down passwords, but only if businesses always use them. Otherwise, it’s child’s play for a thief to take the password from the desk. And when the passwords are simple, criminals can run what are known as dictionary attacks to find the word that unlocks the information.
Perhaps the most insecure method of handling credit card information is on the phone. Taking orders over the phone or in a call center setting means writing down or typing in card numbers for processing while the customer is on the phone or after the call has been completed. Without proper security, a perfect clone of the client’s credit card information is then available. All it takes is an employee’s seeing the information, copying it, and walking away — with no one the wiser.
These are just some of the issues that lead to credit card theft. All these, at their heart, are a betrayal of customers, who expect businesses to hold their financial information in the strictest confidence. On a larger scale, credit card theft creates a bad relationship with credit card processors, especially if there’s a disproportionate amount of theft coming from one source. Weak spots in internal credit card security are something that all businesses need to find and eliminate, even if they expect to have to deal with occasional theft. It’s better that the theft comes from the outside than from the inside.
Image via Flickr by Aranami
The PCI is a set of requirements organized into groups called “control objectives,” which lay out a particular framework for businesses to follow. Each provision addresses a particular weakness in how credit card data is handled, creating a “cure” for the problem.
For example, one of the objectives addresses issues such as managing data over a Wi-Fi network. The most secure way to lock down data is to send it through a wired LAN, but that’s not always feasible to do. Information is instead transmitted through a Wi-Fi–enabled terminal to the payment gateway for processing. Some businesses set this up so that the signal runs through an internal Wi-Fi network before going through the gateway. But if there’s no encryption or password protection on this internal network, the credit card data is at risk of theft by someone who has a Wi-Fi sniffer.
PCI specifies the way in which data sent over Wi-Fi must be protected. It’s up to businesses to follow the requirements to be in compliance with PCI and maintain good relations with their credit card processor. Companies that don’t comply with PCI by maintaining their certification face the possible consequences of fines, cost increases, and even closure of their merchant service accounts. Noncompliance can mean lost transactions and customers, lost jobs, and higher costs to reopen a merchant service account — even a high-risk merchant account.
Any business that accepts credit cards must be PCI-compliant. This includes large and small operations, low-risk and high-risk merchant account holders, and private and public clubs, just to name a few. Even if the business runs only one credit card transaction per year, it still has to comply with PCI. There’s no wiggle room: If the firm accepts credit cards, PCI compliance is a must.
Business owners may complain about the burden of following PCI requirements, but it’s simply good business practice to do so. Customers trust companies with their valuable data. Those companies need to return that trust by protecting the information with the highest standards possible. PCI lays out those standards in such a way as to make it easy as possible to comply.
Taking the time and putting in the effort to make sure your business complies with PCI makes sense. In the long run, the amount of time invested in compliance is small when compared to the peace of mind you give to your customers.