Data breaches have made news often in the past few years. When credit cardholder data is compromised, merchants face bad publicity, lasting damage to their reputations, lost business and possible fines. The global average cost of a single data-loss incident was $3.43 million in 2009, or $142 per compromised record, according to a report from the Ponemon Institute.
That’s why American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa developed the PCI DSS (Payment Card Industry Data Security Standard). Businesses with merchant identification that takes credit card payments—whether online, over the phone, or using credit card machines or paper forms—need to comply with these standards, even if they use a payment service provider.
Here are some pointers and considerations to make the compliance journey a smoother ride for your organization:
• Don’t think PCI DSS is going away. Nevada, Minnesota and Washington have incorporated all or part of PCI DSS into their laws. These states are forerunners of a movement similar to the one that led to the adoption of data-breach notification laws, which have so far been enacted by 46 states. Additionally, many banks are now asking their merchants to comply; some are even imposing fines for noncompliance.
• Don’t hide behind the fact that your payment service provider is PCI DSS-compliant. Remember that all “actors” in the credit card payment chain must comply: merchants, payment service providers, banks and hosting providers (if applicable).
• Don’t pick and choose requirements. Merchants need to comply with all the requirements applicable to their credit card payments structure, regardless of any compliance-validation mechanisms they may use. This involves having the appropriate technical and physical security safeguards, policies and procedures in place, and performing quarterly scans of the CHD (cardholder data) environment if it is connected to public networks. Merchants need to train their employees—both when they are hired and again once each year—in matters concerning credit card security. It is also important to be aware that at the highest level, if a merchant makes more than 6 million transactions per year, a qualified security assessor must come on-site to verify compliance.
• Don’t underestimate the time, cost and effort involved in PCI DSS compliance. Get C-level support to make it happen.
Steps to Compliance