As technology advances, more and more businesses are preferring to go online due to the various advantages that include overhead cost reduction and global customer outreach. However, conducting online business also means exposing the company to the cyber attacks that come in the forms of malware and hackers who steal company information. Fortunately, the PCI Security Council is determined to protect customers and business from such unfortunate incidences through setting standards that all businesses dealing with credit cards should follow but how exactly does the council affect how businesses. Let’s take a look.
The Payment Card Industry (PCI) Security Standards Council was founded on 6th September 2006 by five prominent payment brands namely Visa, American Express, Discover Financial Services, MasterCard and JCB International. The five brands are also the members, and the council aims to manage the ongoing changes in the PCI DSS (Data Security Standard), which are 12 standards that businesses can use to gauge their payment card security guidelines, procedures and guidelines. The council may have come up with these guidelines, but it is not its responsibility to ensure compliance; instead, the founding members, acquiring banks and payment service providers are tasked with that responsibility.
The standards that the Council expects business to comply with are:
- To protect a cardholder’s data by installing and maintaining a firewall configuration
- To not use vendor-supplied defaults for passwords and security parameters.
- To protect the stored cardholder data.
- To encrypt cardholder data transmitted across open and public networks.
- To regularly use and update antivirus software
- To develop and mountain secure applications and systems
- To assign a unique identification to every person accessing the computer
- To restrict physical access to the cardholder data
- To track and monitor access to cardholder data and network resources
- To test the security processes and systems regularly
- To maintain policies that address information security
By being compliant to the set standards, businesses benefit from:
Increased customer confidence
The minute customers feel that the company they are transacting with is not doing its best to protect their interest they will walk away and look for an alternative service provider. Confidence in business results in loyalty which then means high customer traffic and higher sales. It is therefore in the best interest for a business to prove to its customers that it is willing to go to any lengths to protect their credit card information; that way both you and your customers get some peace of mind.
For instance, Zenta, which deals in credit card related issues of US multinationals realized that it needed to comply with the PCI DSS and therefore hired ControlCase and a Qualified Security Assessor from the PCI council and the company obtained PCI DSS certification in December 2008.
Secure business data
The PCI Council has guidelines as to what data should and should not be stored. The PCI, therefore, has instructions in a document that also includes a table to detail the data elements that a business should save and what to do after that. For example, no company is allowed to store the PIN, full magnetic stripe data and CVV2 number. However, you can save the primary account number, but you must ensure it is unreadable entirely whether in servers or portable digital media storage devices. Such precautions set by the PCI council protect the business data against hackers and malware threats.
In 2008, Visa notified the U.S. Bank that Cisero’s, a popular Italian restaurant, may have a compromised network after credit cards used at the eatery were used for fraudulent purposes elsewhere. Cisero’s hired two audit firms and unfortunately, they discovered that indeed the restaurant’s POS system was storing unencrypted account numbers which could be read from the card’s magnetic stripe; that in itself is a contravention of the PCI standards and the restaurant was fined. However, after failing to pay the entire fine, the U.S. bank sued the restaurant owners to obtain the remainder of the fines with the owners defending themselves that they should have been informed of the requirements and the bank should have ensured they complied with them.
Fine and penalties avoidance
As with anything that fails to adhere to the rules and regulations failing to comply with the standards that the PCI Security Standards Council sets results in being fined by the credit card companies. The fines and penalties range between $5,000 and $100,000. The amount of the fine depends on various factors such as the level of PCI DSS that the company is in, the transaction volume, the number of clients and the period that the firm has remained non-compliant. The penalties that the payment providers suffer are transferred to the non-compliant company which results in strained relationships between the firm and bank.
Security standards provision
It is hard to know how to protect your clients if there are no standards against which to measure the efforts you are exerting. Fortunately, the business has a yardstick to keep improving its data protection processes following the guidelines that the Council sets
Reduction of data breach cost
Companies that have breached the data security standards suffer some financial costs which depend on a few factors such as the size of the breach, the payment channel that is affected, number of servers and the interconnection of the servers. The firms also have to incur the cost of breach response such as creating a webpage for customers to learn more about the breach incidence. However, the main cost will have to be any forensic investigations to be done since the organization will bear the expense; a Level 1 investigation can go as high as $100,000. Extra costs include card brand promise fees, card re-issuance penalties, and lawyer fees among others.
While most merchants may feel that the standards that the PCI Security Council imposes are too many, it is the businesses who benefit from adhering to them. If it means ensuring that your business will not suffer severe fines, lose customer confidence, maintain a good reputation and avoid all costs related to noncompliance, then the council is here to protect businesses and not impose additional rules.