The safety and security of information you hold about customers is crucial for them to have trust in your business – and that peace of mind is ever more crucial than when you are dealing with payment information.
That’s why Payment Card Industry Data Security Standards (PCI DSS) exist. Companies must meet these standards if they accept credit card transactions.
PCI DSS requirements range from the need to have data security policies in place, to ensuring that measures such as removing card data from your systems are followed.
Achieving and maintaining PCI compliance isn’t easy however, and it has probably been lower down the list of priorities for businesses worried about their future during the pandemic.
If your business does not comply with PCI standards, you could be at risk of data breaches, fines, reputational damage, and more.
Here’s what you need to know:
Data breaches
Reports show the number of companies that are fully compliant is growing rapidly each year, which is great. But the rise in data breaches is showing no sign of slowing down.
This could be due to the number of coronavirus related cyber-attacks, and hackers taking advantage of increased homeworking. However, PCI compliance does play its part.
One of the major misconceptions about PCI compliance is that it guarantees your business and its data is secure or hacker-proof. This can lead to businesses just checking the boxes for PCI compliance off their list and then forgetting about it until the next audit is due.
PCI compliance can help prevent a data breach, but does not ensure protection. Taking the steps outlined in the official standards document can greatly help to reduce the risk of a breach – and the fines for non-compliance that follow.
Several businesses have been in the headlines for facing data breaches as a result of not being fully compliant, such as British Airways, HSBC and Dixons Carphone. It’s important to learn from mistakes other companies have made, particularly when it comes to ensuring that there is enough security around your payment forms and phone payments.
What are the consequences of a PCI-related data breach?
1. Fines and penalties
Businesses found to break PCI rules could be fined roughly £4,000 to £80,000 per month by payment providers, according to the PCI Compliance Guide.
But if your business is unlucky enough to then experience a breach, you could also be risking an even heftier penalty. Cardholder data is considered personal information under GDPR, or General Data Protection Regulation. This means a breach of PCI compliance is also a breach of the GDPR and therefore subject to the same scrutiny and potential fines.
Also, the GDPR mandates that data breaches must be reported within 72 hours, failure to do so will result in additional penalties.
2. Loss of trust from customers
A big concern when a data breach occurs is the reaction from your customers. Money is easier to recover than your brand reputation and if you have shown you cannot keep their personal data safe, it’s likely that trust will be lost and harder to build back up.
Data breach preventions like PCI compliance are better invested in properly to ensure the risk is reduced as much as possible.
3. Other consequences
A loss of reputation isn’t the only consequence of a data breach. There’s also the more obvious risk that a data breach poses to your own company information. Losing sensitive information or intellectual property can impact the competitiveness of your business. Some rivals would not hesitate to take advantage of stolen information.
In the UK, 26% of businesses admit they have experienced a data breach in the last year which has resulted in material loss, according to a government survey.
Experiencing a breach makes you vulnerable, you are then open to other hackers and increase the likelihood that you will be targeted. PCI compliance is essential to ensure you are in the best possible position.
What are some tips for PCI compliance?
The good news is, there are things you can work on now to increase your level of compliance.
Review your policies and procedures
Before you get started with any PCI compliance efforts, you must first know how payment information is being stored and processed and what policies for the handling of sensitive data you already have in place. Consider how this data is being used by employees and whether current policies adequately protect that data.
It’s also good practice to review your IT security policies and procedures. Your security strategy needs to address all of your employees and reflect your attitude toward PCI compliance and overall data security. This includes continued training for your staff.
Companies must ensure that everyone working with cardholder information on a day-to-day basis is aware of PCI requirements, their importance, and how they can support and ensure compliance.
Secure business processes
To secure your data, you must first install and maintain cybersecurity solutions such as firewalls and antivirus software to protect against any outside threats.
But do remember, you could also come across internal threats and human error. Any payment/cardholder data, digital or physical must be guarded and monitored, and access should be restricted to business ‘need to know’. To maintain PCI compliance, keep a log of the dates, times and people who have access.
This may be a given, but at point of access having strong passwords is essential. Many hackers choose the easiest path to find card data. If your network or systems have easy to guess or default passwords, you’re practically opening up your business doors to hackers.
A good way to simplify your PCI compliance is limiting how much card data you store. The less data you store, the less time and resources you have to devote to securing that data.
Compliance for remote working
At the start of the Covid-19 pandemic, the PCI Security Standards Council issued special guidance for remote work aimed at helping companies maintain security best practices and protect payment card data while their employees work from home.
From requiring employees to conduct processing operations in their home office spaces to securing personal devices, you must follow this guidance to ensure ongoing compliance with PCI.
Don’t delay paying attention to your compliance strategy, it may put your company at risk. To understand more about Onecom’s fully compliant and secure PCI offering, speak to one of our experts today.