In this day and age, businesses of all types and sizes are well accustomed to accepting a variety of payment card information. However, as evidenced by recent data breaches, handling credit cards presents an inherent privacy risk.
Fortunately, there is guidance for businesses to turn to in the form of the Payment Card Industry Data Security Standard (PCI DSS), a framework to protect customers’ sensitive payment account data. But, the PCI DSS is not well-known or understood by many entrepreneurs, especially smaller business owners. Nevertheless, failure to comply with the requirements of the PCI DSS may not only result in theft of customers’ account data, there may be serious legal and financial consequences for the business itself.
What is the PCI DSS?
The PCI DSS was created by the PCI Security Standards Council, founded in 2006 by leading payment card vendors. The framework is comprised of 12 requirements that set forth data protection measures, including the installation and maintenance of a firewall, encryption of data transmitted across open networks, protection against malware and viruses, restriction of access to sensitive data and strict monitoring requirements, among other solutions.
To what businesses does the PCI DSS apply?
The PCI DSS applies to all entities involved in payment card processing; store, process or transmit cardholder data; or sensitive authentication data. This includes merchants, processors, acquirers, issuers and service providers. In short, if your business ever has access to others’ payment card information, assume you are covered.
Is my business legally required to comply with the PCI DSS?
This will depend on whether you have any contractual relationships with a payment card vendor, as well as the state in which you do business. Payment card vendors typically incorporate the PCI DSS into their contractual relationships. Visa International, for example, requires banks that issue Visa credit or debit cards, as well as banks that process Visa credit or debit card transactions on behalf of a merchant, to comply with the PCI DSS through contracts. Visa further requires those banks to ensure compliance by their merchants and service providers who store, process or transmit Visa account numbers. The individual payment card vendors determine any penalties for noncompliance with the PCI DSS.
Additionally, several states are passing laws that adopt many of the PCI DSS best practices. While Florida is not on the list yet, proactive businesses can anticipate legislation down the line and adopt the PCI DSS requirements that may work their way into law.
What can I do to comply with the PCI DSS?
- Download a copy of the PCI DDS at cisecuritystandards.org. There are also many other resources there that simplify the more technical aspects of the PCI DSS.
- Ensure that your IT department or vendor is familiar with these responsibilities and is taking proper steps to secure data through firewalls and malware/virus protection.
- Inspect payment terminals regularly for card “skimming” equipment or for other evidence of tampering.
- Limit remote access to your system from outside vendors, which can be hacked by criminals and used to access your data.
- Often, businesses store more data than is necessary, increasing exposure to a data breach. Keep only what is necessary and discard the rest in a secure manner. Remember that receipts printed from payment terminals contain sensitive payment information as well.
- Make your payment system as simple as possible. WiFi, cameras, Internet phones and other complex technologies provide more openings for a data breach. Be aware of how your system may increase or limit exposure to such a breach.
- Keep policies and procedures for compliance with PCI DSS in place and instruct all employees on the importance of data security.
Whether or not the PCI DSS is required for your business, it is a good place to start when creating a data security protocol.
If you have never heard of it, there is a good chance your business may be vulnerable, and now is the time to change that.
Alberto Montequin, Watson LLP
Alberto Montequin is an attorney at Watson LLP, where he counsels Central Florida businesses on cybersecurity and other aspects of technology law. He may be reached at 407-377-6634 or by email at firstname.lastname@example.org