PCI DSS: Obligations that Provide a Roadmap to Security
Merchants handle sensitive customer information every day. Some of this sensitive data pertain to customer demographics and personal identification, but much of it can be in the form of credit or debit card account numbers. All customer data is essential and should be managed carefully, but leaks and compromises of payment card information can cause severe financial damage to customers. These customers will likely avoid using your services in the future for fear of similar negative consequences.
Mindful of the pitfalls of handling credit card data, the major card issuers created standards for merchants to follow as best practices. These standards, called PCI DSS, for Payment Card Industry Data Security Standards, provide a framework for merchants who accept credit card transactions. Any business that accepts card payments must be in PCI DSS compliance. PCI auditors monitor compliance, and failures to follow the standards and requirements can result in considerable fines and potential termination of your relationship with the processing bank.
Who is covered under these standards?
Any business that handles credit or debit card payments is required to abide by the standards. If you collect payment information only over the phone, you are covered. Even if you do not store credit card data, PCI DSS compliance requirements still apply. Under PCI DSS, any business that stores, processes or transmits cardholder data must be in compliance.
PCI DSS demystified
While the standards are broad and cover a variety of merchant situations involving payment card data, 12 high-level topics are covered in depth. These include the following:
- Firewall usage for safeguarding data.
- The importance of unique customer passwords in an organization.
- Protecting stored customer payment card information.
- The required use of encryption when data moves across open public networks.
- Requiring the use and maintenance of anti-virus protection.
- Keeping security in check with ongoing protection.
- Limiting employee access to cardholder information.
- Requiring unique identifiers for those with access.
- Physical data access restrictions.
- Network access logs.
- Frequent testing and self-assessment.
- Internal PCI DSS policy requirements.
As you can see, these standards cover all the potential risks of handling customer payment data. The standards are not static regulations but are often revisited and revised in response to new threats and technologies.
Are these standards just a business burden?
While the standards are relatively easy to follow, they are comprehensive. Some business owners may be overwhelmed and tempted to view PCI DSS compliance as something akin to bureaucratic red tape, just in a non-government flavor. Compliance is often viewed in terms of it being a burden. Merchants may rush through compliance steps to meet this obligation, then abandon until the threat of audit once again arises. This perspective on PCI DSS is unfortunate and misguided.
PCI DSS addresses a security need
Rather than viewing PCI DSS standards as burdens, merchants can treat them as tools for ensuring not just compliance, but protecting data. The regulations can be an organization's map to data security. Let's take a look at a few of the standards to see the benefits of implementation and compliance.
Some of the requirements reflect current data security best practices, such as requiring firewalls and encryption tools. Others cover risks that we all-too-often see play out in reality. For example, PCI DSS requirements seven through nine deal with implementing strong access control measures. In 2013, Target was the subject of a data breach that exposed 40 million card accounts. The breach occurred when hackers stole the login credentials of an HVAC vendor.
There are a few retrospective lessons from the Target breach. Secure access controls would more closely monitor who has access to a network or system. These controls would also segregate and protect customer card payment data, so only those with clearance to view the records would have access. Lastly, if Target fully implemented the PCI DSS standards, the breach would be less likely to succeed.
Following standards and policies can help your organization strengthen and secure some of the most critical data that can be entrusted to another. Security breaches are expensive. Merchants can be held liable for losses incurred by cardholders and card issuers, especially if the breach is due to non-compliance. Equally important is customer goodwill. A business can heavily tarnish its reputation, resulting in millions in lost sales.
Before you take another credit card order over the phone, consider your risk. Do you have a compliance plan that ties into your unified communications? As telephony and CRM blend through efficient workflows, can your VoIP system integrate with CRM? At 8x8, we offer intuitive virtual office systems that work with your customer tracking. For more information, click here and a VoIP solutions expert will contact you directly.