If you're on a Galaxy Fold, consider unfolding your phone or viewing it in full screen to best optimize your experience.
Roughly 36% of all data breaches involve payment cards, according to Trustwave's 2019 Global Security Report. The retail industry, and e-commerce in particular, is a prime target for data thieves.
By meeting payment card industry (PCI) compliance rules, you're not just abiding by the law; you're providing vital protection to your most valuable asset: your customers.
PCI compliance requires businesses that process, store, or transmit cardholder data to protect that data by meeting global data security standards (DSS). The standards are maintained by the PCI Security Standards Council, a consortium founded by American Express, Discover, JCB International, MasterCard, and Visa.
The Council sets standards for all entities that store, process, or transmit cardholder data, including merchants, banks, payment processors, and hardware and software developers.
The standards apply to debit, credit, and prepaid cards. They don't apply to automated clearing house (ACH) payments drawn directly from bank accounts.
While the requirements are generally uniform, each credit card company articulates its own rules, so you might find subtle differences as you navigate PCI compliance standards.
The PCI Council divides merchants into four risk levels based on the number of payment card transactions they process, whether the transactions are in-person or e-commerce, and whether the business has suffered a breach. The vast majority of small businesses that process payment cards are Level 4.
The levels break down as follows:
As you can see, experiencing a data breach will generally bump you directly to Level 1 status, which carries more stringent requirements.
Meeting PCI compliance requirements can be a challenge, but the security habits they enforce are valuable best practices for any business. Merchant banks and third-party applications handle many aspects of PCI security, so you may find that much of the legwork has been done for you.
It is your responsibility, however, to confirm that third-party systems and applications used in your business are PCI compliant.
In addition to creating a secure environment, your business must assess and report on these efforts. Level 4 businesses generally must conduct quarterly network vulnerability scans, complete an annual PCI DSS self-assessment questionnaire (SAQ), and submit an attestation of compliance (AOC).
Banks, the PC Council, and other authorities may require an AOC to confirm your company's PCI security. All of these activities are designed to ensure adherence to the PCI DSS requirements summarized below.
To meet the scanning requirements, you may contract with an approved scanning vendor (ASV). You may also consult a qualified security assessor (QSA) for assistance with the assessment requirements. These companies are certified by the PCI Council to assess and validate compliance.
The first step in any DSS assessment is to define the scope of the cardholder data environment from customer acquisition through the sales process. This requires identifying the locations and flow of all cardholder data and the people, processes, and technologies that interact with it. This reaches far beyond IT to sales and fulfillment functions in your company.
A whopping 57% of data compromises occur on a business's corporate or internal network, according to Trustwave.
Network security must prevent unauthorized access to systems from all internal and external sources, including e-commerce, employee internet use, email, dedicated connections with other businesses, and wireless networks.
You've already assessed the scope of cardholder data your business handles and where it lives. Now you need to implement data retention and disposal policies to protect it.
Per PCI regulations, the primary account number, cardholder name, service code, and expiration date may be stored only on secure networks and applications as required to complete transactions.
Sensitive authentication data including full track data (data from the card's magnetic stripe or chip), card verification codes, and PINs may not be stored at all after authorization, even if encrypted.
Now that you have a secure system and data protection measures in place, you can turn your focus to potential vulnerabilities in your defenses. Hackers and phishers never rest, and your security efforts need to be just as active to deter them.
People are part of the cardholder data environment. Every employee with access to cardholder data is a potential vulnerability. To protect sensitive data, allocate access strictly on a need-to-know basis.
Security is never a set-it-and-forget-it affair. It's important to schedule regular testing to ensure that your security measures are working and no breaches have occurred.
Everyone in your business should understand the importance of protecting data and the policies and procedures you have in place to do so. It may feel like a lot of work, but it's important to document every security protocol and track your activities to create a reliable security environment for your company.
Consumers are highly protective of their data, with good reason. Norton reports that some 4.1 billion records were exposed in the first half of 2019 alone, and every data theft represents needless anxiety and expense.
Being PCI compliant is an important trust factor that can help you build customer confidence, close more sales, and keep that most valuable of company assets -- the customers you have -- coming back for more.
Our Small Business Expert
We're firm believers in the Golden Rule, which is why editorial opinions are ours alone and have not been previously reviewed, approved, or endorsed by included advertisers. The Ascent, a Motley Fool service, does not cover all offers on the market. The Ascent has a dedicated team of editors and analysts focused on personal finance, and they follow the same set of publishing standards and editorial integrity while maintaining professional separation from the analysts and editors on other Motley Fool brands.