What is PCI DSS? A Clear Path to Security
If you are a business that handles, processes, or stores credit card payments, you are likely subject to the Payment Card Industry Data Security Standards, or PCI DSS. This set of requirements seeks to protect consumers, merchants, lenders, and the card payment acceptance process.
Credit card data is highly attractive to unscrupulous actors, such as hackers and other criminals. At the same time, businesses in the modern economy must accept the major credit card brands to remain relevant. Online and over-the-phone transactions, in particular, would suffer without the card payment system.
Because the credit card-issuing companies realized the need for industry-wide accepted best practices, PCI DSS was born.
PCI Definition: What Is PCI DSS?
PCI stands for "payment card industry," and its set of standards, PCI DSS, covers 12 main data security areas. These detailed practices and requirements are grouped into six subsets based on security goals, which are:
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
Each subset is broken down into detailed guidelines for compliance. Steps can include:
- Using the most recent antivirus services
- Using encryption
- Limiting access to card payment data
When taken as a whole, the requirements can seem highly burdensome to retailers, restaurant owners, or other merchants. However, they work as an effective data security roadmap.
Security experts frequently point to simple errors as the source of breaches. Often, failing to prioritize security is a culprit. If merchants consider PCI DSS as a tool, rather than a checklist to be only visited in the shadow of an audit, there may well be fewer data breach incidents.
Essentially any business that collects, processes, or stores cardholder data is covered, not only those businesses that collect payment information digitally. If you take orders and payments over the phone, you are required to comply as well.
Penalties for Noncompliance
Failing to comply with PCI DSS carries a cost. Fines can be significant, and noncompliance can result in termination from the card issuer. We all know that the inability to accept certain card payments can be fatal to any merchant in today's economy where digital payments are the norm.
The True Cost of Data Breaches
While the fines are steep, the actual costs can be much higher.
Recent examples of merchant data compromises highlight the business risk of noncompliance. In 2014, Home Depotsuffered a breach that affected card payment data from 56 million consumers.
On smaller scales, data attacks occur all the time. Network experts estimate that 58 data records are stolen every second. These breaches cost an average of between $3.6 and $7.3 million in damages per incident. Smaller breaches often target businesses such as restaurants and small shops where purchases may be smaller.
Collectively, the attacks cost millions, but they also result in damage to the customer experience process.
The Intersection of Unified Communications with PCI
Because it is common to collect credit card payment from customers over the phone, unified communications platforms, applications, and services must ensure compliance.
One might believe that simply taking a credit card payment over the phone is noncompliant, since the data was viewed by a person. This is not the case, as need-to-know provisions allow for employees to process payment data when necessary. Businesses can assure security by using unique passwords that are regularly changed and restricting access to cardholder data.
One area of vulnerability within organizations is the separation of voice and data circuits. If voice traffic can be separated from customer card payment data, then the business can avoid a common vulnerability. Compliance requires understanding what parts of a business are in scope for PCI DSS. Since employees can collect payment card information verbally, VoIP systems are in scope for PCI DSS compliance.
Stay Compliant and Safeguard Payment Data
PCI DSS compliance helps businesses become more secure, as high-profile data breaches underscore the need for data security. Whether you capture payment information electronically or through a phone call, your business is covered if it collects, stores, or processes card payment data.
For more information on VoIP compliance, security, and reliability, download 8x8’s whitepaper, “The Elephant Herd in the Room: Why VoIP Providers Won’t Talk About Compliance, Security, and Reliability.”
When it comes to security, 8x8 provides reliable and compliant cloud solutions at a demanding level rarely seen by other cloud providers. Don't take your chances with a subpar cloud-based telecom system. Call 1-866-879-8647 or fill out our online form to request a no-obligation quote from an 8x8 Product Specialist.