Your customer relationships come down to trust. Whether or not you deliver on what you promise and provide quality products and services is certainly top-of-mind. But what’s also a concern is how securely you handle their personal information—especially their credit card data.
The best way to defend credit card data is to implement the necessary security controls to comply with PCI-DSS—the data security standard established by the payment card industry. If you transact business with customers using debit or credit cards, or you handle card data, you must be PCI-DSS compliant to use the services of the major card issuers. You also need to be validated by a third-party auditor at least once a year, and in some cases every quarter, depending on how you process data.
It’s just as important to stay compliant in between third-party audits by continuously running internal audits. Fines for non-compliance can vary from 5K to $100K per month, and problems with compliance mean you’ve got security vulnerabilities and are more susceptible to cyberattacks.
If any card data is stolen, you will have a major public relations challenge on your hands. Existing customers will likely leave, and it will be difficult to attract new customers. Cybercriminals also take notice. Any businesses experiencing a breach become a prime target in the cyber underworld—threat actors love to share their exploits, and their colleagues assume a breach infrastructure must be a soft target.
To find out what businesses can do to achieve compliance and protect their customers’ credit card data, we recently talked to Katrine Pizzella of Heartland Payment Systems during a PulseOne Tech Talk. Pizzella is a Relationship Manager for Heartland, one of the largest payment process providers in the U.S.
“Since the introduction of tokenized chips on cards, there has been a big decline in in-person fraud, Pizzella points out. “But 71% of SMBs are still being targeted by cybercriminals, and identity theft is the fastest growing crime in the US—100 million Americans have had their information compromised.”
In addition to completing the PCI-DSS validation process with a third-party auditor, Pizzella has several tips for businesses to prevent breaches. “Reduce the number of systems where you store card data, and if possible, do not store any card data at all,” she recommends. “And when taking information over the phone, avoid writing it down—always enter it directly into a secure payment terminal.”
Other key tactics to apply include avoiding physically handling credit cards whenever possible by creating payment pages online so customers can enter their own information. The online payment systems should also use strong encryption so the card data can’t be stolen.
It’s also important to implement best practices on any devices your business uses to process card transactions. “Weak system passwords are the leading cause of breaches, so use strong device passwords and update them every 90 days,” Pizzella recommends. “Also make sure the software is current and fully-patched. Those that are not are more susceptible to breaches.”
As a final tip, Pizzella recommends checking to make sure the business partners with which you process credit card transactions are also PCI-DSS compliant. This is key because many companies suffer breaches where cybercriminals gain access to a third-party system and then find a way to also breach their partners.
But the pay-off for complying with PCI-DSS goes way beyond satisfying the requirements of your payment processing partners and your business partners. It’s all about protecting your customers so you maintain that trust relationship you have established, and they keep coming back to you to buy more products and services. As they continue to place their trust in you, be sure to earn it!
If you have questions about achieving PCI-DSS compliance, contact us today to schedule an assessment of your current IT environment. We work with specialists like Heartland Payment Systems to secure the business technologies of all of our clients.