It’s complicated, but nevertheless if your business (be it sole trader, small business, national or a global entity) is processing, storing and/or transmitting credit card information I would recommend you continue reading.
But first off I am going to make a promise to you.
I promise that this post will not contain any nerdy technical terms or go into detail on the standard’s requirements or any debates about the interpretation of said requirements. This post is for business owners seeking to understand if they need to be “PCI compliant” and if so what to do next.
And before I continue I need to mention that this post is for merchants only. If you believe your business is a “service provider” (for example, your customers are other merchants that you store, process, or transmit cardholder data for) then wait for my next post which will cover PCI DSS service providers.
So, What is PCI DSS?
So, let’s begin with first making sure that we are on the same page with the term “PCI”. The Payment Card Industry Security Standards Council (PCI SSC) is tasked with managing the Payment Card Industry Data Security Standard (PCI DSS) which is commonly referred to as “PCI”. There is in fact more than just the PCI DSS standard that the PCI SSC is required to manage but at a guess you would not be reading this post if you were looking for information on those standards.
The PCI DSS standard is comprised of 12 high-level requirements. Each requirement addresses a component of securing credit card data. For example, Requirement 1 addresses the requirement to have a firewall installed within certain parts of your computer network, Requirement 2 looks at ensuring any vendor defaults for accounts or configurations are changed and Requirement 12 deals with policy and standards among other things. Each of the 12 requirements are then broken down into sub-requirements which address specific items for compliance.
At the time of writing this post there are over 240+ requirements in total for PCI DSS 3.2! Don’t be worried yet. Depending on your business, not all requirements may be applicable to you.
The table below lists out the 12 high-level requirements.
|Requirement 1||Install and maintain a firewall configuration to protect cardholder data|
|Requirement 2||Do not use vendor-supplied defaults for system passwords and other security parameters|
|Requirement 3||Protect stored cardholder data|
|Requirement 4||Encrypt transmission of cardholder data across open, public networks|
|Requirement 5||Use and regularly update anti-virus software on all systems commonly affected by malware|
|Requirement 6||Develop and maintain secure systems and applications|
|Requirement 7||Restrict access to cardholder data by business need-to-know|
|Requirement 8||Assign a unique ID to each person with computer access|
|Requirement 9||Restrict physical access to cardholder data|
|Requirement 10||Track and monitor all access to network resources and cardholder data|
|Requirement 11||Regularly test security systems and processes|
|Requirement 12||Maintain a policy that addresses information security|
To reach PCI DSS compliance you must meet each of the requirement’s objectives that are applicable to your scope of compliance, which I will cover later in this post.
PCI DSS is an annual reporting process. Even though you only have to report on your compliance annually, you’re expected to stay compliant throughout the year.
Why Do I have to be “PCI DSS Compliant”?
In short, PCI DSS is here to help reduce the chances of credit card data being stolen and that includes your credit cards!
PCI DSS is important and much needed in helping businesses improve their IT security. Almost every day there is a major breach of personal information including credit card data reported in the news. I would not be surprised that many of you have had your personal information including bank details and credit card data stolen due to the failure of a business’s IT security. When your business becomes PCI DSS compliant you are helping reduce the changes of your customers’ data being stolen – that’s good for business right?
Also, it’s important to note that if you do suffer a breach that results in credit card data being stolen, you could face a number of consequences, such as:
- Your acquiring bank may pass on any fines it receives from the credit card brands and other interested parties and/or
- Your acquiring bank may stop processing credit card transactions from you and/or
- Your acquiring bank may demand that you undertake a very costly forensic examination to determine how the breach occurred.
Often the cost imposed on your business if you suffer a breach without being PCI DSS compliant is far more than the cost to become PCI compliant in the first place.
Being PCI DSS compliant will not make your business become 100% secure but it will help reduce your risk to a breach.
Who or What is Enforcing PCI DSS Compliance?
The PCI SSC has no power to enforce a business to become PCI DSS compliant – that’s not their mandate. However, if you accept credit cards as payment, be it accepting a physical credit card at your shop, over the phone, via email, via snail-mail, online such as your ecommerce site or any other channel, your bank that processes the credit card transaction on your behalf (called an “acquiring bank”) will often include a contractual requirement for you to be PCI DSS compliant. If you refuse to become compliant the acquiring bank will often show you the door.
Why does the acquiring bank care so much about my PCI DSS compliance?
The acquiring bank carries the risk of being fined by the credit card brands that formed the PCI SSC if your business suffers a breach of credit card data. So, in more cases than not your acquiring bank will expect that you become PCI DSS compliant.
How do I know what PCI DSS requirements I need to meet?
As a QSA my advice is to contact your acquiring bank and ask them. As mentioned above it’s your acquiring bank that is fined by the payment card brands if your business suffers a breach resulting in credit card data being stolen so they are accepting the risk.
I could cover the difference between a Report on Compliance “RoC” and the different Self-Assessment Questionnaires “SAQ” but I do not want to lead you up the wrong path.
One thing I will say is unless your business is considered a “Level 1” (which means your business processes more than 6 million card transactions per annum, or you’re a global merchant, or if under mastercard, a merchant that has suffered a hack / attack that resulted in account data compromise), then your acquiring bank will more than likely ask you to complete one or more Self-Assessment Questionnaires.
Again, contact your acquiring bank and ask them.
10 Tips for Improving Your Chances at PCI DSS Compliance
I have provided below a few tips that should help your business on the road to PCI DSS compliance. These tips are general IT security tips so regardless of where you are with your PCI DSS compliance the tips below will help improve your IT security regardless. NOTE! These tips do not guarantee PCI DSS compliance on their own!
- Respect credit card data. Have a long-hard think about the reasons why you need to store credit card data after using it for a transaction. The key recommendation of PCI SSC is if you don’t need to kept credit card data then don’t! Not storing credit card data after a transaction will reduce your PCI DSS compliance requirements by quite a bit.
- If you store credit card data electronically make 100% sure that only people who need to have access to that data do and that the systems storing the credit card data are well protected from un-authorized access. There are strict requirements around storing credit card data which includes the use of encryption-at-rest. If this sounds too hard then consider having your payment gateway provider store the credit card data and your business uses a payment token instead. For more information on reducing your PCI DSS scope read this post-> How Can I Reduce My PCI DSS Scope?
- If credit card details are written down on paper and need to be stored for a period of time ensure that the storage container can be locked and the key to unlock the container is only accessible to authorized users. Do not leave credit card details unprotected at any time such as lying around on post-it notes.
- If any of your systems are transmitting credit card data for example from your ecommerce site to your payment gateway ensure the transmission is encrypted. For the ecommerce site that normally means using only HTTPS protocol. Ensure that “TLS 1.2” protocol is used not “SSL” or “TLS 1.0” or “TLS “1.1”. Use this free and very helpful tool https://www.ssllabs.com to understand what protocols is currently used by your systems.
- Record all systems and users that process, store or transmit credit card data. Once all systems and users have been recorded see where you can reduce how many users and systems need to “touch” the credit card data. The less systems and users that “touch” credit card data the better for you reaching PCI DSS compliance.
- Implement a patching schedule for your IT systems to ensure the latest patches are installed in a timely manner. For critical patches ensure the patch is applied less than one month from the patches release. If you have any operating systems that are end-of-life such as Windows XP or Windows 2003 Server focus on upgrading or replacing the operating systems ASAP. No patches are available to the general public which means these systems are at a much higher risk of being attacked.
- Only grant local admin access to operating systems to users who really-really need it.
- Ensure all computers have anti-virus installed and a local firewall. Ensure that the anti-virus signatures are kept up-to-date, and that the anti-virus software and firewall cannot be turned off or configured without authorization.
- Ensure all users have strong passwords and that they don’t share their computer accounts with others. Stop any use of computer accounts that are used by more than one user (normally called “shared account”). Every user should have their own computer accounts which allows you to better track the actions of users within your environment.
- Change all vendor supplied default accounts/passwords and any configurations that could make the device vulnerable to attack. Search in google for “default password for ” and add the devices name. You will be surprised at the number of devices which are Internet facing that have the default username and password active!
- Look at placing a firewall at the perimeter of your business environment to control what traffic flows in and out of your business. Only allow traffic that you consider a business need to flow in and out of your business. You may also need additional firewall(s) between the “perimeter” firewall and where card data is transmitted, process and stored – you may need help with this from a network IT professional.
- Record all service providers that have access to your IT systems including what level of permissions they have, what user accounts they use to access your environment, why they have access to your environment. It’s very important that you have awareness and control over all service providers who have access to your IT systems. The number of IT security breaches caused by service providers is staggering.
- Implement a basic IT security education program for your users to be conducted when a person starts and annually. The program should cover IT security basics such as how to create strong passwords, how to identify phishing/social engineering, how to protect credit card data, thinking before clicking on an email attachment, watching out for tail-gating etc. Write a IT Security policy that your users can refer to when required. The policy should cover all things IT security within your business from patching schedule, approved software, security configurations for computers such as anti-virus/local firewall, remote access, Internet usage, enforcement etc.
So let’s recap.
- PCI DSS is a standard that comprises of 12 high-level requirements addressing the security of credit card data. Each of the 12 requirements is then broken down into sub-requirements addressing a particular security objective.
- If you’re a merchant that accepts as payment credit card data be-it physically accepting cards at your shop, over the phone, via email, via snail-mail, via ecommerce or any other channel, more than likely your acquiring bank will expect you to be PCI DSS compliant.
- Depending on how you accept credit cards and your level of credit card transactions, not all of the 240+ requirements will apply to your business to reach PCI DSS compliance.
- To become “PCI DSS” compliant you must meet the “testing procedures” for each requirement that is applicable to you. For example, if the requirement to have a firewall installed within your network is applicable to your business then to meet that requirement you need to install a firewall in the way required by PCI DSS.
- Reporting on PCI DSS compliance is an annual process. But compliance should be part of the way you run your business every day.
- Contact your acquiring bank and ask them what they require you to provide to demonstrate your compliance. They’ll likely be able to tell you what forms to submit and whether you can fill it in yourself or need to get a QSA to help.
- If you accept credit cards, do not ignore PCI DSS! If you do and your business suffers a breach resulting in credit card data being stolen, there is a very high likelihood that your acquiring bank will be knocking on your door and it won’t be an enjoyable experience!
PCI DSS Resources
PCI DSS Website -> https://www.pcisecuritystandards.org/
PCI DSS Official Document Library-> https://www.pcisecuritystandards.org/document_library
Marc is a PCI QSA at Confide and has been working with the company since May of 2016. Confide is New Zealand’s Premier Security Assessment Company for the Payment Card Industry. http://www.Confide.co.nz
How Compliant is your Small Business?
Operating a small business doesn’t mean you can be complacent with how you’re protecting customer data and the prevention of the real threat of credit card theft.
Hacking gangs are alive and well hence the tightening of data protection rules in the western world including the European Union’s GDPR.
So there’s two major compliances to work on immediately if you’ve not done so already. Doing the basics to ensure your business is in compliance with data protection laws including the GDPR even if you’re not in Europe is a must-do and here’s how you can get started if you’ve not done it already.
Every website collecting email addresses and more, need to comply with the requirements for protecting customer data. There’s more that’s needed too see (Website policies) further on in this article.
There is also a pressing concern for all businesses, eCommerce and particularly those in the retail sector to commit to PCI compliance. You might be wondering what it is and is your operation too small to be bothered with it right now.
A really good explanation of what PCI DSS is and why any business transactions using credit cards needs to comply can be found in this article on BusinessBlogs.
Smaller businesses can do a self assessment and why you might sigh with relief, don’t get too comfortable, you’ll still need to know exactly how to do a PCI self assessment and how to get set up so when your business grows it’s got everything in place for external assessments.
PCI and Networks
The real difficulty lies in understanding how sensitive data moves along your network which is a must for assessment. The wireless LANs and other connectivity points like USBs and bluetooth can be penetrated hence they need to be monitored and secure. This is where a PCI compliant specialist comes into their own not only for your self assessment but also when using external PCI auditors for your compliance.
Earlier on we mentioned protection of customer data and laws like GDPR.
Any business with a website that collects customer data can not avoid the basics website features that allow for transparency of how customer data is collected, utilised and shared with privacy and cookies policies.
This really is the norm now and it’s the entry level for all websites so all website developers will implement it, so it’s just the older sites and the Do-it-yourself crowd who need to be aware of the requirements.
Website visitor expectation is they’ll see the pop up that asks for acceptance of re. your website cookies policy and they’ll take the necessary action. Without it, your business is not perceived as being secure and visitors may take no further action i.e. they’ll exit your site.
All websites should also be using the SSL (HTTPS), and be mobile ready. Plus have all the bells and whistles in place to manage customer data collection and management for protection of customer data.
Ignorance is not bliss and it will be hurting your business if your website is not on top of it’s compliance requirements. Get curious, find out what you need to know and when you need to take action to keep the hackers out and the visitors in.
Why Shopping Cart Abandonment?
Shopping cart abandonment is not decreasing. Buyers add stuff to their shopping cart, however exit without finishing the purchase. The term ‘buyer’s remorse‘ needs to coined another way to describe why online shoppers abandon their shopping carts.
Relinquishment is an electronic business term used to portray a condition wherein a visitor on a page leaves that page before completing the pined for movement. Occurrences of betraying, are the place shopping cart abandonment happens the most! The reasons change from site to site and they’re explained well in the infographic created by Fullestop. We’ve added it to this post for you.
Web business destinations attempt to decrease their cart abandonment rate; however it’s a losing battle with a high level of customers still slipping past. Honestly, shopping case surrender rates if all else fails are actually rising. Business Insider reports that $4.6 trillion worth of stock was left in spurned trucks in 2016, up from $4.2 trillion out of 2013.
Reasons behind Shopping Cart Abandonment
For the retail part, these were the most widely recognized explanations behind the surrender:
• 34% were ‘quite recently looking’ i.e. not prepared to purchase.
• 23% had an issue with transportation.
• 18% needed to look at costs.
• 15% chose to purchase in-store.
• 6% relinquished because of an absence of instalment alternatives.
• 4% encountered a specialized issue.
Distinctive edifications have been offered trying to state why buyers leave shopping bushels. Most, by far, of the reasons, take after the ones in this present reality shopping process. The basic enlightenments behind shopping wicker container betraying have been seen as:
Perplexity with astound costs: in the far-fetched event that it’s not clear how to influence a purchase and you to leave your prospects with no other individual, expecting that “they’ll appreciate it”, you’re in for an epic dissatisfaction. Correspondingly, if they are out of the blue given some extra costs that they didn’t expect, you were showing the portal yourself.
Alert or secure site: An alert about the website can without much effort change over into fear. The starting point for a business is website security and assuring customers the website is safe and secure and this includes their shopping cart and when it comes to credit card data, what information is requested from purchasers.
Most electronic business purchasers are careful about revealing their own particular information, especially with respect to MasterCard inspirations driving interest. Purchasers are already nervous and it’s not long before they end up plainly suspicious especially if an overabundance of information is requested from them.
How To Protect Your Business From Cyber Attacks
There is no getting away from the fact that cybercriminals and hackers are everywhere these days. Business owners need to remain vigilant and take precautions if they don’t want to become the victims of crime. The information in this article will educate all readers about the basics of protecting their operations and ensuring information theft doesn’t occur. The last thing any entrepreneur wants is for a hacker to steal their customer payment details because that often results in bad press and a lot of headaches. With that in mind, use the advice below to ensure you leave no stone unturned when it comes to securing your company.
So how do hackers break into my website or computer network?
There are many ways in which hackers might attempt to breach your security tools and gain access to your website or office computer network. However, some methods are more common than others. In recent times, business owners report the following strategies when hacking attacks occur:
- The hacker will upload specialist tools to your website that allow them to create multiple backdoors. That means that if you identify the first vulnerability and fix it, the criminal can still gain access using a variety of different methods.
- Some online hackers will attempt to download all user accounts and then use specialist tools to break through password encryption. Alternatively, those criminals can just steal the contact information like email addresses before selling the data to spamming organisations.
Well, how do I stop that from happening?
Protecting your computer network:
You have lots of options on the table when it comes to protecting a computer network against hacking attacks. In most instances, it makes sense to build a relationship with an IT Support company that can offer assistance if the worst occurs. However, there are lots of preventative measures you can take in advance. Considering that, be sure to read the following information carefully and put the tips into action as soon as possible!
- Invest in digital and physical firewalls – You can get those items online for little money these days. Just be sure to conduct a lot of research and read reviews from other business owners before committing.
- Keep all software updated – Software developers release updated versions of their products all the time to help combat security vulnerabilities. If you don’t have the latest version of the program, you might expose your company to hackers.
- Provide employee security training – It’s vital to offer all employees training on the best practices for maintaining maximum security. For instance, business owners should ensure their workers never connect personal smartphones to the business network. Likewise, the team members should never access their social media accounts in the workplace. However they should follow an IT Security expert and learn from their views and news. That could create security concerns.
- Use strong and random passwords that contain numbers and letters – There are lots of random password tools that anyone can use if they want to ensure hackers can’t guess their way into the network. It’s worth investing in one of those programs as soon as possible.
- Don’t connect unknown devices to your computers – As mentioned a moment ago, connecting smartphones and other media to your computer network could create problems. If hackers already have access to that device, they will have no issue when it comes to penetrating your system.
- Encrypt all sensitive data or store it in the cloud – Cloud storage providers use some of the most advanced encryption tools and strategies possible. So, business owners shouldn’t have to worry too much if they keep their sensitive data secure using one of those services. However, it’s also vital that you encrypt information on your office network too!
- Never use unsecured WiFi networks – If you connect your computers to unsecured public networks, hackers can break into your system in a matter of sections. Indeed, there are low-cost computer programs that even teenagers could use to steal your information if you make that simple error.
Protecting your website:
Business owners also need to follow the correct strategies when it comes to ensuring their websites don’t become vulnerable to hacking attacks. The list of tips below will assist you in making sure your site has the most robust protections possible. Failure to implement the advice from this section will mean you stand a much higher chance of becoming a victim than those who pay attention.
- Keep all software, and website plugins up-to-date – Hackers will look to exploit the vulnerabilities that developers work hard to solve with their software and plug-in updates.
- Use complex passwords – Again, you can find programs that create random passwords without breaking the bank.
- Don’t allow users to upload files – Unless there is no alternative, allowing users to upload files is a recipe for disaster.
- Only use HTTPS to deliver private information (payment details, etc.)
- Use the best website security tools – There are new programs and plug-ins hitting the market every single day. So, business owners just need to keep abreast of the latest advancements and invest at the right time.
- Always use a secure online payment gateway – Consumers expect to see that little padlock in the left-hand cover of the address bar when they enter payment information. Ensuring the page is secure should help to protect against hacking attacks. However, it should also mean you miss out on fewer sales.
Now you know all the basics of protecting your business from cyber attacks; you just need to put that advice into action. There is no time to delay because criminals work around the clock to steal information and profit from their crimes. So, sit down with your most dedicated team members as soon as possible before discussing the matter and designing your strategy. As stated only a moment ago, sometimes company bosses will benefit from the expertise of professionals. With that in might, weigh all the pros and cons and then work out if you have enough money in your budget to pay for assistance. If you don’t, just follow the advice from tips post!
- Management2 years ago
20 Of The Worst Business Decisions Ever Made
- Finance2 years ago
What are the Advantages And Disadvantages of Business Loans?
- Mindset5 months ago
5 Positive Impacts of Green Businesses On Employees’ Wellbeing and Performance
- Finance1 year ago
M&A How Industry Leaders Structure Their Deals – Fee Guide 2017
- Marketing12 months ago
Creating Brand Identity for Small Business [Infographic]
- Marketing2 years ago
What You Can Learn From Amazon’s Marketing Strategy
- Finance1 year ago
Blockchain & Cryptocurrencies What’s All the Fuss About
- Management1 month ago
Work Times Are Changing For The Better