Are your customer’s card details safe with your business?
5th May 2022
Many businesses accept different card merchants, take online payments, online bookings, and online orders… but are you keeping your customer’s information safe?
More often than not, businesses are unaware of the risks that may come with not having PCI compliance in place and the potential extra costs that can be associated with this. In this blog, we will explore the importance of having secure PCI compliance in your business and how it will benefit both your business and its customers.
What are the laws and regulations?
According to the Payment Card Industry Data Security Standard (PCI DSS), PCI compliance is relevant to any business or organisation of any size that processes transactions, accepts, transmits, or stores cardholder data.
If it is found your company has been involved in a data breach, you could face fines of up to £3.5 million.
You must undergo a PCI auditing procedure in order to become PCI compliant. There are 4 levels starting with 1 processing the highest and 4 processing the lowest amount. It also involves looking at your overall company security procedure and making sure other aspects are regularly maintained and have procedures in place such as ensuring your website has safety updates in place.
What are the 12 requirements to be PCI compliant?
- Use and maintain firewalls – firewalls prevent and block access to private data, ensuring any cardholder details and information remains safe
- Password protection – POS systems, routers, etc… usually come with generic pre-set passwords. To be PCI compliant you must have procedures in place to change these to secure passwords and keep a list of devices and software that requires a password.
- Cardholder data protection – cardholder data must be encrypted and have encryption keys (which are also encrypted for compliance).
- Encrypt transmitted data – cardholder data can be sent through a range of channels including stores, home offices, and more, that’s why it’s important to ensure all data is encrypted.
- Anti-virus – anti-virus software should be installed and regularly maintained and patched to ensure data is safe and secure.
- Update your software – your software can only be fully effective if it is regularly updated, updates often come with added security features, this is why it’s important to keep an eye on them.
- Data access – not everyone needs access to cardholder data, only people who require it should be granted access to sensitive information.
- ID for access – identification and credentials should be in place to ensure only the right people are accessing any data.
- Physical location – any customer data that is kept in hard or physical copies should be kept somewhere safe and secure, record keeping of who and when data is being accessed should also be kept to be in line with PCI compliance requirements.
- Access logs – PAN (primary account numbers) require a log entry when dealing with cardholder data, log access software should also be used to make sure logging is done accurately.
- Vulnerability – scanning your company for vulnerabilities including out-of-date software, physical locations, and the human error should be done to eliminate risks.
- Document policies – equipment, software, and staff that have access to cardholder data should all be documented in order to be PCI compliant.
What are the benefits?
It may sound like a lot of work, but it definitely comes with a range of benefits that make it totally worthwhile.
Most importantly, your customer’s and cardholders’ data is safe, meaning their card information cannot be accessed by the wrong people, with this comes a great company reputation (imagine the trust you’d lose if you were involved in a customer data breach!)
You may avoid card merchants’ fees, many card merchants will add additional fees to companies who are not PCI compliant and most people don’t even know they are being charged!
Introducing these additional measures will make you secure and compliant with other regulations simultaneously, so it’s a win-win for everyone!
If you want to know more about being PCI compliant, or need some advice, get in touch with the Astaris team.