How to Reduce Your PCI Scope When Accepting Payments
Accepting credit card payments can greatly boost your business’s bottom line, but it comes with immense responsibility. Anyone paying attention to the news knows how ubiquitous credit card breaches and hacks have become. One of the biggest PCI breaches is still the 2013 Target attack that resulted in 40 million card details being stolen.
Other significant recent attacks include the Magecart Attack on Warner Music Group, the Adobe breach where 3 million customer card details were stolen, and of course Equifax — a premier U.S. credit bureau — falling victim to data breaches that compromise precious cardholders and personal data.
Maintaining a secure cardholder data environment (CDE) isn’t simply recommended, it’s required. Any business or organization that transmits, stores, or processes cardholder data falls within the scope of the Payment Card Industry Data Security Standard (PCI-DSS). You may be thinking to yourself, “Wait, that means my business is within PCI scope!” Yes, it likely is.
By being within scope, your business is subject to:
- Annual PCI audits to evaluate systems and check for security vulnerabilities.
- Potential quarterly reviews of the systems that store cardholder data.
- Losses of up to $90 per compromised card in the event of a data breach.
The fact is, you simply can’t ignore your PCI obligations. Consider the fact that Target’s earnings reportedly fell 46 percent in the immediate aftermath of its infamous 2013 data breach. Can your business sustain a revenue drop of this magnitude? Even if it does, PCI non-compliance can result in merchant account termination rendering you unable to accept credit or debit card transactions moving forward.
So, let’s discuss what PCI is, how your CDE is configured, and how you can best reduce your scope to minimize your business’s risk of a data breach.
An Overview of PCI DSS
PCI DSS was put into place by the major card brands (Visa, MasterCard, Discover, and Amex) to reduce fraud-related losses by establishing higher security standards and enforcing their adherence. These guidelines also allow for the ranking of businesses based on their compliance.
PCI compliance is the highest achievable level. You can verify whether your current merchant services provider is PCI compliant by searching for it among the Visa Global Registry of Service Providers. Compliance is assessed annually through audits and system tests that probe for vulnerabilities and evaluate implemented best practices.
To ensure that your business and customers are safe, PCI compliance should be a requirement for any provider you partner with. This includes the provider of your processing terminal, e-commerce, point-of-sale software (POS), and virtual terminal if you have a patchwork setup.
Additionally, it’s important to use common sense and best practices when storing and accessing data. While writing a frequent customer’s card number down and filing it in a cabinet may seem convenient, it violates PCI standards. Spreadsheets aren’t safer, even if your computer is password protected. Likewise, even if there isn’t cash in your drawers, locking up at night is vital if your computer or network interacts with cardholder data.
The Components of Your CDE
Your computer and network could be vulnerable due to the following components of your CDE:
- Networks: Physical connections like Ethernet, wireless connections like Bluetooth, or virtual connections like firewalls.
- Applications: Retail and mobile POS, virtual terminals or payment gateways, e-commerce websites, and management software that interacts with cardholder data.
- Software: Processing software that is either native or SaaS. Native software must be downloaded to your servers, which opens your business up to PCI scope.
To reduce your liability, you can implement the following best practices when it comes to your network, applications, and software:
- Leverage network segmentation to isolate where cardholder data is stored.
- Elect to only use applications that are secured using point-to-point encryption (P2PE) or tokenization.
- Middleware is an additional piece of software that’s often required to connect your POS to your card reader, but select EMV-certified processing terminals connect to your network via Ethernet instead of middleware. This means all cardholder data bypasses your computer and network for reduced PCI scope.
Streamlining Your Providers for Simpler Compliance
By partnering with a proven and tested all-in-one provider that is PCI-compliant, you can minimize your liability. Opting for Atlantic.Net hosting, using a processing terminal that lacks middleware, and committing to best practices for storing cardholder data can all contribute to a safer, more compliant business environment where no cardholder data is transmitted, processed, or stored on your computer or network.
If a fraudster breaks into your business location, you can rest assured that cardholder data isn’t compromised. Furthermore, choosing a provider that uses tokenization to protect cardholder data will ensure that your customers’ information isn’t compromised throughout the transaction process.
Why Choose Atlantic.Net?
Contracting with Atlantic.Net for PCI-DSS-compliant web hosting gives you peace of mind that your provider knows what they’re doing. Atlantic.Net is SOC 2, SOC 3, HIPAA audited, and PCI ready and provides customers and those who process credit cards with the hardened, secure, and compliant infrastructure they need.
Get a $250 Credit and Access to Our Free Tier!
Free Tier includes:
G3.2GB Cloud VPS a Free to Use for One Year
50 GB of Block Storage Free to Use for One Year
50 GB of Snapshots Free to Use for One Year