Businesses were hit by 3,141 data breaches in 2015, and those are just the confirmed cases. As everyone knows, cyberattacks are on the rise, and each incident can damage both finances and reputations.
If your business accepts credit cards – or any form of payment card – card security compliance can help you beat the breach odds and avoid financial penalties. Meeting the industry’s PCI security standard is straightforward, and a smooth rollout is within reach if you follow the requirements.
Who Controls PCI – and What it Means for Your Business
The Payment Card Industry Data Security Standard, commonly referred to as PCI DSS or simply PCI, is a set of information security standards that is meant to cut the risk that cardholder data becomes compromised. It’s administered and managed by an independent group but enforced by the major card brands.
Businesses that don’t comply with the standard can expose themselves to significant financial risk. They can be hit with non-compliance fines that range from $5,000 to $100,000 per month, and in the event of a breach, an additional $50 to $90 for each cardholder whose data was compromised. The consequences may also include losing the ability to process credit card payments. On top of that, they may jeopardize customers’ trust that it’s safe to do business with them.
PCI DSS requires all businesses to:
- Build and maintain a secure network and systems
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
For more detail on these steps, see the checklist below.
Compliance is a Project – But There’s Help
As you delve into making sure you’re PCI-compliant, you may want to enlist the help of third-party partners. Start by exploring the PCI solutions your acquiring bank and payment processor offers. There are also vendors that specialize in this area. And look at what service providers, such as your web hosting company, may be able to contribute. While all of these experts can help remove the guesswork and simplify the process, no one can sell you a silver bullet. Performing your own due diligence is critical to ensuring that all the components you choose will meet your needs.
Regardless of how you meet PCI requirements, you’ll also have to validate your compliance. Validation demands depend on your merchant level, which is primarily determined by how you accept payments (i.e., e-commerce vs. card-present transactions) and the volume of card transactions you process over 12 months. Other considerations — such as if your business has previously suffered a data breach — also factor into determining your merchant level. Be sure to check with your acquiring bank, payment processor or security solution provider to confirm your status.
"Ensuring your business is PCI-compliant...may save you from becoming another data breach statistic."
Based on your merchant level, validation requirements can include completing an annual self-assessment questionnaire or enlisting a qualified security assessor to conduct an on-site audit of your information security practices. You may also need to partner with an approved scanning vendor to run a quarterly network vulnerability scan and submit an attestation of compliance form.
Ensuring your business is PCI-compliant requires an investment in time and resources, but it may save you from becoming another data breach statistic. Requirements, compliance guidance and updates are available in the standards group’s latest Quick Reference Guide for the current version, PCI DSS 3.2.
For more information on PCI compliance, contact your SVB Global Treasury and Payments Advisor.
Checklist: Your 13 Must-Do Tasks to Meet the PCI DSS 3.2 StandardBuild and maintain a secure network and systems
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Protect all systems against malware and regularly update antivirus software or programs.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data on a need-to-know basis.
- Identify and authenticate access to system components.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security for all personnel.
- Make the policy accessible for all employees to reference as needed.
Read more in our series about how to optimize your company's payments tools and processes on SVB's Payments Trends & Insights page.