Accepting credit card payments can greatly boost your business’s bottom line, but it comes with an immense responsibility. Anyone paying attention to the news knows how ubiquitous credit card breaches and hacks have become, with Target, Home Depot, and now even Equifax — a premier U.S. credit bureau — falling victim to data breaches that compromise precious cardholder and personal data.
Maintaining a secure cardholder data environment (CDE) isn’t simply recommended, it’s required. Any business or organization that transmits, stores, or processes cardholder data falls within the scope of the Payment Card Industry Data Security Standard. You may be thinking to yourself, “Wait, that means my business is within PCI scope!” Yes, it likely is.
By being within scope, your business is subject to:
- Annual PCI audits to evaluate systems and check for security vulnerabilities.
- Potential quarterly reviews of the systems that store cardholder data.
- Losses of up to $90 per compromised card in the event of a data breach.
The fact is, you simply can’t ignore your PCI obligations. Consider the fact that Target’s earnings reportedly fell 46 percent after its infamous 2013 data breach. Can your business sustain a revenue drop of this magnitude? Even if it does, PCI non-compliance can result in merchant account termination rendering you unable to accept credit or debit card transactions moving forward.
So, let’s discuss what PCI is, how your CDE is configured, and how you can best reduce your scope to minimize your business’s risk of a data breach.
An Overview of PCI DSS
PCI DSS was put into place by the major card brands (Visa, MasterCard, Discover, and Amex) to reduce fraud-related losses by establishing high security standards and enforcing their adherence. These guidelines also allow for the ranking of businesses based on their compliance.
PCI Level 1 compliance is the highest achievable level. You can verify whether your current merchant services provider is PCI compliant by searching for it among the Visa Global Registry of Service Providers. Compliance is assessed annually through audits and system tests that probe for vulnerabilities and evaluate implemented best practices.
To ensure that your business and customers are safe, PCI Level 1 compliance should be a requirement for any provider you partner with. This includes the provider of your processing terminal, e-commerce, point-of-sale software (POS), and virtual terminal if you have a patchwork setup.
Additionally, it’s important to use common sense and best practices when storing and accessing data. While writing a frequent customer’s card number down and filing it in a cabinet may seem convenient, it’s in violation of PCI standards. Spreadsheets aren’t safer, even if your computer is password protected. Likewise, even if there isn’t cash in your drawers, locking up at night is vital if your computer or network interacts with cardholder data.
The Components of Your CDE
Your computer and network could be vulnerable due to the following components of your CDE:
- Networks: Physical connections like Ethernet, wireless connections like Bluetooth, or virtual connections like firewalls.
- Applications: Retail and mobile POS, virtual terminals or payment gateways, e-commerce websites, and management software that interact with cardholder data.
- Software: Processing software that is either native or SaaS. Native software must be downloaded to your servers, which opens your business up to PCI scope.
To reduce your liability, you can implement the following best practices when it comes to your network, applications, and software:
- Leverage network segmentation to isolate where cardholder data is stored.
- Elect to only use applications that are secured using point-to-point encryption (P2PE) or tokenization.
- Opt for SaaS-based software that lacks middleware.
Middleware is an additional piece of software that’s often required to connect your POS to your card reader. But select EMV-certified processing terminals connect to your network via Ethernet instead of middleware. This means all cardholder data bypasses your computer and network for reduced PCI scope.
Streamlining Your Providers for Simpler Compliance
By partnering with a proven and tested all-in-one provider that is PCI Level 1 compliant, you can minimize your liability. Opting for SaaS-based software and a processing terminal that lacks middleware and committing to best practices for storing cardholder data, can all contribute to a safer, more compliant business environment where no cardholder data is transmitted, processed or stored on your computer or network.
If a fraudster breaks into your business location, you can rest assured that cardholder data isn’t compromised. Furthermore, choosing a provider that uses tokenization to protect cardholder data will ensure that your customers’ information isn’t compromised throughout the transaction process.
About the Author
Christina Lavingia is the marketing manager at PayJunction, a PCI Level 1 merchant account provider and payment gateway. PayJunction’s Smart Terminal doesn’t use middleware and is cloud-controlled, allowing you to rest easy knowing that your computer and network are never interacting with or storing cardholder data. The Smart Terminal is free for qualifying businesses.