If your business processes card payments, it’s likely that you're aware of the PCI DSS certification. The Payment Card Industry Data Security Standard (PCI DSS) is a set of rules established by the Payment Card Industry Security Standards Council (PCI SSC) to protect customer card data.
There are four levels of PCI compliance, based on the number of transactions your business makes in a year. PCI level 1 is the highest standard - for businesses processing more than 6 million Mastercard or Visa transactions annually. Level 1 also applies to businesses that have experienced a data breach or a merchant deemed level 1 by a card association.
Protecting personal data should be a primary concern of any business. Data protection continues to be a topic of debate and a factor that influences how consumers choose their service providers and product suppliers. Numerous data breaches have hit the headlines in recent years. In 2005, Cardsystems Solutions Inc. was hacked, compromising the credit card numbers of millions of MasterCard customers. Then there was the recent Equifax breach when hackers gained access to the birth dates, telephone numbers, email addresses and other such personal data of U.S-based customers.
Consumers are becoming increasingly protective of their privacy and security. Failing to address this issue could make it difficult for your company to attract new customers and to retain existing ones.
How do I make my business compliant with Level 1?
Any business owner seeking to attain PCI compliance must first complete a self-assessment to evaluate their current level of compliance. This self-assessment will also identify any areas of non-compliance to address. For PCI Level 1, a merchant is required to have annual assessments by a Qualified Security Assessor (QSA).
The PCI Security Standards Council sets out a three-step process for gaining PCI compliance:
The first step is to evaluate your current level of PCI compliance. Identify cardholder data, take an inventory of IT assets and business processes for accepting card payments and flag any vulnerabilities.
Now you know where vulnerabilities exist in your business processes you can put systems in place to remove them. The PCI SSC recommends eliminating storage of cardholder data “unless absolutely necessary”.
This final step entails reporting your compliance status with the PCI DSS to the relevant acquiring financial institutions or payment card brand.
Protecting customer data
If your business accepts payments by card, you must have systems in place to protect your customer data. Customers should not be required to share card data with call centre staff directly over the telephone, nor should this data be stored and easily accessed. So how do you obtain the details you need to receive payment while maintaining compliance with the PCI DSS?
A simple solution is to invest in a secure phone payment system that manages everything for you. A secure payment solution enables you to take telephone payments, record all calls and achieve PCI compliance. Cloud-based solutions for contact centre environments allow customers to provide their card details without any information being shared with or stored by the agent or call recording software. The added benefit of a cloud-based system is you don't need to purchase expensive hardware. You can also up-scale the service you receive as your business grows.
Is it worth it?
The PCI SSC emphasizes compliance as an ongoing activity, rather than an annual assessment, which can create a false sense of security. Their yearly assessment process is stringent and consists of several steps. These include an examination of your point of sale (POS) system, an in-depth review of any areas of vulnerability identified and a prioritized list of planned improvements to increase security and minimize the risk of attacks.
Obtaining and maintaining PCI compliance can therefore be an arduous task. But the potential cost to your business of non-compliance could be devastating. Consider the data breaches that have hit the headlines. Incidences such as these can seriously damage the reputation of your business. Big brands can often bounce back, but a small business may never recover from a major breach. Consumers have other options. They won’t stay with a company who they cannot trust with their data.
If your business suffers an attack or a data breach, there's also the chance your card brand, such as Visa or Mastercard, or possibly a bank, could sue you. Such action could cost your business thousands or even millions of pounds.Obtaining and maintaining PCI compliance certainly isn’t a breeze. But when considered in light of the potential risks of non-compliance, it’s an effort worth making. The PCI Security Council offers plenty of help and guidance on how to get started. If it all seems a little overwhelming, enlist some specialist advice from a PCI compliant vendor or explore the secure payment solutions available for delivering peace of mind to you and your customers.
About the Author
Anita Spenceley is an experienced communications professional with over 25 years of experience in the telecoms field. In her role as Director of Sales and Operations, Anita has established Callstream as a market-leading provider of virtual telephone services.