Introduced in 2004, the Payment Card Industry Data Security Standard (PCI DSS) includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures for credit card processing. PCI is updated regularly by the PCI Security Standards Council (PCI SSC), and failure to comply leaves a merchant vulnerable to a data breach and the ensuing negative fallout including fines, fees and lost business.
Despite this very real threat, credit card processing compliance remains somewhat of a mystery to many merchants. Small to medium sized merchants in particular are more likely to have little to no knowledge about what it takes to be PCI compliant, and often dismiss compliance efforts until it’s too late. To help merchants get a better understanding of credit card processing compliance, let’s review – and debunk – three common myths:
Myth #1: Small merchants don’t need to worry about credit card processing compliance because they are not a common target for thieves.
Reality: It’s true, big data breaches make the news. But the reality is that 80 percent of data breaches actually target small businesses– with devastating effects. Three out of five small businesses close within six months after experiencing a breach. The misperception SMB merchants have that they are not at risk actually makes them more vulnerable. Thieves know that many SMBs lack the resources and time to dedicate to security efforts. Without making compliance and security a priority, they are considered easy targets by data thieves.
Myth #2: Credit card compliance is a one-time event.
Reality: PCI DSS mandates continue to be amended, with the most recent release of PCI 3.2 in April 2016. Updates to the standards are based on data breach report findings, changes in payment acceptance, and feedback from the PCI Council’s Participating Organizations. Because of the evolving nature of the PCI, compliance is also dynamic. Instead of being a one-time event happening quarterly or annually, credit card compliance is an ongoing responsibility that merchants need to pay attention to at all times.
Myth #3: All compliance efforts require the assistance of a professional.
Reality: While it’s true that PCI compliance is not simple and can be eased by partnering with a company like Vantiv, it’s a myth that all compliance efforts require professional guidance. There are several practical steps merchants can take on their own, to help achieve and maintain card processing compliance, and ultimately reduce their risk for a data breach. Following are five actions Vantiv recommends:
- Develop a security policies and procedures document for your business, and use it for tracking all related activities.
- Train employees to be aware of the importance of processing credit and debit cards securely, and know the necessary steps to protect your business computing network.
- At least once per quarter, perform External Network Vulnerability Scans to monitor internet-facing IP addresses.
- Monitor access to the network and wireless access points, in order to secure cardholder data.
- Make sure all passwords are secure. This includes replacing default passwords, changing them frequently, and requiring employees to have unique passwords.