Accepting payment: Meeting the PCI DSS
Using a payment card to make a purchase online can be cause for customer concern: they want to be sure that their details will be stored securely and not accessed for fraudulent use. As a business taking money from consumers electronically, it is vital to ensure that you have adequate card data protection processes in place. Customers need to feel safe using your platform, and any information leakage can be hugely destructive to your company.
The worldwide Payment Card Industry Data Security Standard(PCI DSS) was set up to help businesses process card payments securely and reduce payment card fraud. It put in place strict controls regarding the storage, transmission and processing of cardholder data handled, with the intention of protecting sensitive card data vulnerable to misuse.
The PCI DSS has a list of high level requirements for businesses to adhere to:
Build and maintain a secure network – firewalls configured to protect data, do not use vendor-supplied defaults for system passwords/security parameters
Protect Cardholder Data – use encryption for stored data, as well as for the transmission of data and sensitive information across public networks
Maintain a Vulnerability Management Program – Update anti-virus software regularly, build and maintain secure systems and applications
Implement Strong Access Control Measures – Restrict access to data by business need-to-know, unique ID’s for anyone with computer access, restrict physical access to data
Regularly Monitor and Test Networks – Test security systems regularly, track and monitor all access to network resources and data
Maintain an Information Security Policy – Create and maintain a policy that addresses Information Security
It is imperative that you remain fully compliant with the PCI DSS. If your business suffers a data breach and you are found to be remiss with any of the compliance guidelines, you will be handed a hefty Card Scheme fine. In addition, you may be liable for any financial losses incurred by the customer, and any operational costs involved in replacing their account.
Never forget that you are held responsible for your customer’s data, regardless of who processes this data on your behalf. To cut down the risks of your customers being affected by fraud, it is advisable that you regularly review the data in your possession and get rid of any that you no longer need.
The less data that you have in your possession, the less chance you have of being implicated in a card fraud. It is also suggested that you change all systems passwords every three months, use strong passwords with at least 8 characters and be on the lookout for anything suspicious such as failed access attempts or out of hours activity.
Do make sure that your business is fully compliant with the PCI DSS at all times, and assess your processes annually. It is well worth the time and trouble it takes to maintain your cardholder data protection systems. Getting hacked is a common threat to organisations everywhere – don’t make the mistake of taking a chance because you think it’s unlikely to happen to you. If you do end up getting hit, the losses to your business can be catastrophic.