No one said staying on top of PCI compliance was fun, but we can’t stress its importance enough. Exposing yourself to PCI compliance vulnerabilities is a sure way to get slapped with a business-crippling fine in case of a breach. Depending on your PCI level, these fines can range from a few thousand dollars to $100k/month, and many businesses fail to recover from an experience like that.
Your decisions around storing credit card information are critical to your compliance and security apparatus. PCI compliance is about protecting your customers’ sensitive financial data, and there are few things more sensitive than a client’s credit card information.
Today, we’re going to discuss thirteen foolproof tips that will show you:
Let’s dive in.
In a sentence, PCI compliance is about proving that you are proactively protecting your customer’s data.
PCI DSS applies to any of your organizations or locations that accept transactions, and you need to have policies and strategies for storing and protecting that data for each location.
Because each business is unique, there is no exact list of items that you need to do in order to “attain” compliance. Compliance is as much the hardware and software you use as the practices you have in place to check up on it. The security council in charge of PCI compliance does have a PCI compliance checklist for you to follow, but it’s more of a way to organize your efforts as opposed to an exact list of to-dos.
Official assessments are about analyzing security infrastructure from a technical standpoint and from an employee’s best practices or policy standpoint. You need to prove that you are working to protect the data you collect. That being said, there are some basic things you need to check off, including:
Storing online credit card data is most advantageous for businesses that deal with recurring billing or have active account users who purchase frequently. If you don’t fall into that camp, there are few arguments for why you should store credit card data on your servers. If it isn’t providing a clear benefit to your customers and bottom line, get rid of it.
Manually taking credit card numbers on paper and storing them is one of the biggest mistakes you or your employees can make. This information is private and should only be used for the duration of the transaction. Do not, under any circumstances, store physical credit card information on your store or in places like Google Drive, Dropbox, etc.
Just because your headquarters or servers are PCI compliance doesn’t mean your storefronts are. You need to have a system in place that addresses each business location individually.
The security council recommends building a system made up three parts:
Program -> Policy -> Procedures
The PCI security council defines them as such:
A program typically includes strategic objectives, roles and responsibilities, and a plan to achieve business objectives. For example, a vendor-management program defines the roles and strategy to properly procure, on-board, manage, and off-board third-party service providers.
A policy typically includes a statement of management intent or rules that must be
followed⎯e.g., a password policy defining strong passwords and the frequency with which they must be changed.
A process/procedure typically outlines the step-by-step tasks that responsible personnel must follow to properly complete tasks that align with the program and supporting policies ⎯e.g., listing the steps needed to encrypt sensitive information before e-mailing it to a service provider.
Use this framework to organize your efforts. By creating them according to the PCI Council’s guidelines, you will be better prepared for any potential audits.
If you take payments over the phone, make sure it’s via a secure line and those messages are stored in a secure vault. Do not use your local line or personal cellphone lines to accept orders without security.
Regular contact fields on forms from CRMs like ActiveCampaign or HubSpot are not secure and should never be used to collect sensitive information. If you need to collect payment information, do so through an official payment gateway that is secure and built for that use. Everything sensitive should be encrypted with no exceptions!
PCI breaches are serious, with fines starting from $5k and ranging up to $100k+, to the termination of your merchant account by your acquiring bank, to increasing transaction fees as a penalty for the risk. Because PCI compliance can hit both your wallet and your ability to continue accepting transactions, it is a double threat that deserves your consistent attention.
Again, you should first determine if you even need to support recurring billing. If the value outweighs the risks, then we recommend using a secure vault. A vault is a data storage mechanism that uses encrypted tokenization to transfer the necessary credit information between your payment system and the vault. It effectively removes those numbers from your possession and reduces the risk of breaches dramatically.
And keep in mind, if you need to store the data yourself, you will be raising the bar for your self-assessment and may need a security council member called a Qualified Security Assessor to perform an audit on your system.
Similar to form fields, you should never have sensitive information stored in CRM profiles that isn’t encrypted. Yes, tying payment information to collecting customer lifetime values is important, but you can do that without sacrificing your security. Either find a system that puts that information in a secure vault or use separate software to link that information together when needed.
Part of your PCI compliance procedures should be to ensure that your hardware and software is updated. Failing to update your POS system or smart terminals could open your business up to vulnerabilities. If a patch comes through, download it immediately.
The council also recommends that you:
The number one reason why merchants get hacked is through insecure remote access. It’s common for issues to occur when you’re out of the office or off location, but do whatever you can to reduce your reliance on remote access software products. Many of these vendors use simple passwords for remote access, and that makes it easy for hackers to get access to your systems.
The security council recommends:
Working with a merchant services company that prioritizes PCI compliance does not exclude you from your PCI DSS compliance duties, but it does dramatically cut down the effort it requires. Take us, for example. We give each merchant we work with a PCI compliance dashboard. This dashboard reminds you what, when, and how to check to ensure that you are protected, and we even offer up to $100k in breach insurance for free.
Subscribe to our newsletter and get payment processing news & insights sent to your inbox.
You can unsubscribe at anytime.