Any company that takes payments via credit or debit card is subject to compliance with the Payment Card Industry (PCI) Data Security Standards. These standards help protect cardholders against misuse or mishandling of their card details by putting into place rules that companies must adhere to.
With the ease of getting set up to take payment cards these days (it can take just minutes on platforms like Stripe or Square), it’s not surprising that many small businesses aren’t aware of the PCI compliance rules they’re required to adhere to and end up making costly mistakes.
Monthly penalties for PCI non-compliance range from $5,000 to $100,000.
Companies can suffer several consequences for not adhering to PCI standards, which include:
- Loss of customer confidence due to a data breach
- Fraud losses
- PCI non-compliance fines and penalties
- Loss of ability to process credit cards
- Legal costs, settlements
- Higher scrutiny by regulatory agencies
The basics of the PCI compliance requirements are to ensure you’re handling, storing, and transmitting payment card data securely to prevent it ending up in the wrong hands or being compromised in a data breach.
Good IT security practices will go a long way towards PCI compliance along with taking precautions to avoid making the following mistakes.
Tips for Staying Compliant and Secure
So far in 2019, at least 4 billion records containing sensitive data such as credit card numbers and home addresses have been exposed in data breaches.
The average cost to a business who is the victim of a data breach of their network or client database is $3.9 million or $150 per each compromised record.
Avoiding the common PCI compliance mistakes below is not only good for your customers, it’s also good for your own company’s bottom line.
Storing Cardholder Data as Plain Text
Encrypt all cardholder data store encryption keys securely and separately in as few locations as possible. Storing that sensitive data in a plain text format makes it easy for it to fall into the wrong hands and become compromised.
Many payment systems will not store the complete 16-digit card after the transaction has occurred and won’t store the CVV either to reduce risk that a breach of the database will provide usable credit card data.
Not Properly Controlling User Privileges
A common problem in small offices is that they’ll give all the users the same Admin or “master” privilege level instead of taking the time to set access levels that make sense for their organization. For example, your salesperson most likely won’t need the same privileges to create customer quotes as your accounts receivable team that processes incoming payments.
Using the “Rule of Least Privilege” is a good best practice to use with any type of application access granted to your employees. The rule means that you should grant the lowest (or least) privilege needed for a user to perform their job duties.
Assuming Your Vendors Are Responsible for Your PCI Compliance
While many payment processing vendors you use will confirm that they operate in full PCI compliance, however that doesn’t leave you off the hook completely. You’re still responsible to:
- Ensure any 3rdparty software you’re using is PCI compliant; and
- Ensure your office practices are PCI compliant (i.e. what happens when a phone order comes?)
Keep in mind that you are the company ultimately responsible when you take a customer’s card for payment, so you’re still required to meet PCI standards even if you’re using virtual merchant platform.
Not Properly Training Employees on Security and Card Handling
Approximately 90% of all data breaches involve a phishing attack. Phishing emails target your employees and bank on the fact that they all won’t be savvy enough to spot these very sophisticated fakes.
Staff training both on good cybersecurity practices, like password security and how to spot a phishing email, and proper card handling procedures will help you avoid issues, such as an employee scribbling down a customer’s card number during a phone call then throwing away the paper without shredding it.
Staying in the Dark about PCI Requirements
Many companies just don’t take the time to learn about PCI compliance and hope that nothing goes wrong. You’re bound by all requirements found in the PCI-DSS rules if you accept credit for payments, whether you know the standard or not.
It’s better to understand your requirements so you can ensure proper compliance and not end up with an unfortunate penalty like having your ability to process credit and debit cards cut off completely.
Get Help with PCI Compliance from ZZ Servers!
Our PCI compliance experts can make compliance simple and less confusing. We’ll help you protect your customers, your network, and can guide you through any IT security audits efficiently.