Business owners should be aware of industry standards for payment card data security. Read more about how to comply with those standards and keep your customers' information secure.
Incidents of large merchants experiencing data security breaches have heightened awareness of the importance of payment card data security. To prevent such breaches, as well as to counter the growing problem of fraud and adverse publicity, the major credit card companies created the Payment Card Industry Data Security Standard (PCI DSS). All merchants that accept payment cards are required to validate compliance with the standard annually.
PCI DSS is a guideline to help business owners implement the hardware, software and procedures needed to guard sensitive credit card and personal information. The standard is designed to safeguard everyone — cardholders, merchants, banks and processing companies.
There are three components to PCI compliance:
• Self-assessment questionnaire (SAQ)
• Network scans
• On-site visits.
The online self-assessment questionnaire documents how the merchant handles sensitive data, including digital and hard copy storage. Network scans are conducted by the merchant using a tool provided by a PCI-approved scanning vendor that remotely scans networks and Web applications. The scan seeks to identify vulnerabilities that hackers could use to target the company's private network. On-site visits are performed by a qualified security assessor (QSA) and are the basis for an annual Report on Compliance completed by the QSA or a company's internal auditor and signed by an officer of the company.
Compliance requirements vary by a merchant's volume of annual credit card transactions. Most must complete the SAQ, but usually only larger merchants with external facing IP addresses are required to pass quarterly scans. Merchants processing more than six million transactions a year must submit to an annual on-site visit as well as the quarterly network scans.
Consequences of Non-Compliance
There are serious consequences for merchants who do not comply with PCI security requirements. The credit card associations may impose significant fines (up to $500,000 per incident, per association) and restrictions on card acceptance can permanently prohibit card acceptance, and/or charge the merchant for card re-issuance.
If a business is the source of a card-data breach, it will be required to shut down its Internet connection and submit to a forensics investigation by a QSA to determine the reason for the breach and steps to fix the problem. When the investigation is complete, the QSA will send a report on its findings to the card associations. The card associations will levy a fine based on that report, including how egregious the security lapses were and how many cards were compromised. The associations may also move the merchant to a higher PCI compliance level.
The negative publicity stemming from a data breach is hard to quantify on a dollar basis. However, one incident can cause irreparable damage to a merchant's reputation carefully built up over years. The necessity to safeguard payment data will only continue to grow in the future. No matter how big or small your business may be, it is important to understand that every merchant has the possibility of a data security breach.
PCI Compliance Validation
Hancock Bank and Whitney Bank can guide clients through PCI compliance with tools that help simplify the process and provide multi-layered security. Our goal is to make PCI compliance validation as easy as possible. We offer Merchant Services through a relationship with the payment processing experts at First Data Corporation. Learn more about how Merchant Services can streamline payments and help your business grow, and contact a banker at a branch near you.
©2016 Financial Publishing Services Co.
This information is for educational and illustrative purposes only.