Payment Card Industry (PCI) compliance still makes a lot of businesses nervous, but Marci Gagnon, VP of strategic alliances for Qualpay, says it’s actually not as scary as people think it is.
“PCI standards are actually good, common-sense business practices,” she says. Before Visa adopted PCI security standards in 2004, and it went industry-wide in 2006, there was no standard, which Gagnon says resulted in an unbalanced security environment. “PCI brought standards to all parties in the payment chain so everyone is protected,” she explains.
PCI Data Security Standard Basics
The PCI Data Security Standard is based on six goals and 12 best practices that help achieve them:
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Use and regularly update antivirus software or programs.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need to know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security for all personnel.
Don’t Focus on Compliance Alone
For ISVs and your clients, it’s essential to shift the emphasis from demonstrating annual compliance to following the 12 best practices on an ongoing basis. “The checklist and scan are only required once per year,” says Gagnon. “But security best practices need to be ongoing.” She says to think of annual compliance like an annual car inspection. If issues are uncovered during the inspection, you take care of them immediately — you don’t wait until the next inspection. Businesses need to address compliance with the PCI DSS in a similar way. Annual compliance certification isn’t the goal — putting security best practices in place, updating technology and procedures as necessary and following security best practices on an ongoing basis are what businesses must work toward.
Gagnon says any business storing cardholder data must go through PCI certification to ensure security practices for your company and customers. If you use a payment gateway that reduces PCI scope or has integrations with other applications, keep documentation that shows the steps you’ve taken to mitigate risk and remember to keep security certifications from all vendors you work with on file. Gagnon points out that vendors who have achieved certification will be happy to provide you with documentation or answer your questions.
Plan Breach Response
One vital security best practice is creating and maintaining an information security policy, which includes the business’ plan for what to do in the event of a data breach. “The most important thing to remember is not to panic. Follow the plan,” Gagnon says. “It’s vital to contain the breach but not to unplug computers unless directed by IT to do so. Document every step you take to make it easier for payment forensic specialists to figure out what occurred.”
Gagnon says the business should create a team that includes employees, IT professionals, legal counsel, payment companies, and other resources who will each play a role in the response.
She points out that, like all security best practices, maintaining the plan is an ongoing commitment. “The team can review the plan periodically and make sure it’s up to date,” she says. The team should make sure they have updated documentation and contact information so they can act quickly with breach notification.
The group can also take responsibility for making sure risk is minimized by making sure obsolete accounts are closed, passwords are changed regularly, and all security patches have been applied. She says the team can also address some often-overlooked scenarios, such as the best security practices to follow during a power outage when employees get credit card authorizations by phone or reviewing records and destroying data you no longer need.
Help Educate Your SMB Clients
With the media attention devoted to high profile data breaches, more business owners are aware of the need for IT security. Small businesses, however, may not realize the risks they face. IBM’s 2019 Cost of a Data Breach Report states the average cost of a breach is now $3.9 million, with lost business as the biggest contributor (36 percent) of that figure. The study points out that small businesses often suffer higher costs relative to their size ($3,533 per employee vs. $204 per employee for large enterprises). Gagnon adds that within six months of a data breach, 60 percent of SMBs are no longer in business.
Gagnon stresses that educating SMB employees is crucial. About 40 percent of data breaches can be traced back to internal staff — not necessarily people with malicious intent, but uneducated people who may write login information or credit card numbers on paper or not lock and secure laptops or mobile devices.
Investing in employee training and other measures that keep data secure has become a business necessity along with insurance and healthcare coverage for employees. “If you have 30 employees, 30 families are counting on you to do the utmost to secure your business. By following PCI standards and best practices, a business puts itself on the path to making sure all vulnerabilities are taken care of.”