In plain English, if you process credit card transactions and store credit card details then you need to have a robust system of security measures in place to ensure this data remains safe at all times, from both internal and external threats.
PCI compliance is the standard set down by the Payment Card Industry to ensure merchants do everything possible to keep their customers data secure. The PCI DSS is mandatory for any business accepting payment by credit card. It is a comprehensive standard with 12 individual segments, all of which need to be fulfilled in order to be fully compliant.
What it means for your business at best, is that you have reassurance you are doing all you can to protect your customers data and can continue to process credit card payments. At worst your ability to process credit card payments could be removed indefinitely – remember the Lush Cosmetics breach, which meant their customers could no longer purchase on-line. Consider what that did to their bottom line and how such a breach could affect yours, particularly in the run up to Christmas.
How Can I Tell If My Systems Are Secure?
We have prepared a 12 point checklist to get you started. Its quick and easy to use, requiring simple Yes/No answers. You can download it here.
What Should You Do If Your Systems Are Not Compliant?
Anything that you can rectify immediately should be your priority, and the individuals responsible should be made aware of the scope of the task given to them and the deadline for completion. You should plan to deal with all high priority items in the shortest possible timescale. This may require the need to supplement your IT Department skill-set with that of an external body which will mean incurring additional cost, but better to be safe than sorry!
What If We Don’t Have The Skills To Make Our Systems Compliant?
You need to know that whoever you approach has the skills, experience and accreditation necessary to ensure your systems are – and remain – compliant. Both MasterCard and Visa operate approved supplier lists for companies that have met their stringent requirements and these are a good place to start. When you approach a company ask about their PCI DSS accreditation and look for the PCI Security Council logo on their website. If they can’t demonstrate that their accreditation is current or can’t point you to their accrediting body – take your business elsewhere.
To summarise, in any company, data is its most valuable asset. Being seen as negligent could result not only in loss of business in the short term, but loss of consumer confidence in the long term, which could threaten the very survival of your business. Check your systems and deal with all danger areas so that you and your customers continue to shop safely. Use external help where you need it, the cost will be much less than any subsequent fine should your data be breached.