What Exactly is PCI Compliance?
PCI Compliance can seem complicated. You may think all is well and then find that your business is not compliant. The explanations can seem vague. In this post we will go over the basics of PCI compliance-what it is, why it is important, and ways you can navigate the waters with confidence. Recently our CEO, Will Slappey, sat down with Frank DeBenedetto to discuss PCI compliance.
PCI compliance is basically a framework, a set of rules and regulations that was put in place in 2006. To help the credit card industry and all the associated entities produce a somewhat of a standard to follow to try to increase the security around the payments industry.
Who should be concerned about PCI Compliance?
Anyone taking forms of electronic payment.
Why is it important?We want to contribute to good cyber hygiene across all industries. We would like to think the credit card processor is playing a role there, but because of the payments it is an industry that is riddled with fraud. There are several dangers to not being compliant. One is increased processing fees that can hit you directly in the wallet. Reputation harm is also a concern. If there is a breach in your credit card payment system, the community can lose trust in your organization.
From Frank: “And what's amazing is you know, you can continue to process and do everything along the way. And your product, your processor will just charge you a fee: $35- $75 a month for being what they consider non-compliant. And typically, that is related to a lack of doing like a self-assessment questionnaire, or a testing to other things that you say you’re doing. But you know, you can, you can basically truck along here and just continue to operate business as usual. The downside here, of course, if you if you do find out that you are non-compliant, and there is a breach of some sort, you could not be say covered, right, you can be fully liable because you were never in compliance in terms of what the provider saw.”
What is a straightforward way to tell if you are not compliant?Get a paper copy of your statement. Most processing companies do not send them. You must log into a portal of some sort. Once you have the copy in hand there will be a charge item at the bottom with a non-compliance fee and a dollar amount of around $35-$75 dollars. This might not seem important in the long run but if there is a breach you could be held liable because you were not in compliance.
If you find you are not PCI compliant, what is the next step?
PCI DSS (Payment Card Industry Data Security Standard) outlines 12 areas you need to look at. Six of those areas are handled by a traditional MSP for a customer as part of their cyber security program. This would cover things like having a firewall, having antivirus on the computers, setting up a system of privileged access. Some of these standards are in the purview of the customer, policy requirements like not writing down credit card numbers. If you store credit card numbers in your computer system, make sure that the information is encrypted. It is also particularly important to keep up to date with technology, upgrading to the latest card readers and ensuring that your point-of-sale system stays updated.
To learn more, listen to the full conversation here:
Or, watch the video: