According to Total System Services, Inc., 80 percent of the consumers questioned in a 2018 survey responded that they preferred making payments using credit or debit cards. If you accept credit or debit card payments, you may not know that you are subject to a set of standards created by the Payment Card Industry (PCI) Security Standards Council. This council – made up of the five payment card brands Visa, MasterCard, American Express, JCB International, and Discover – was created in response to increases in data breaches and fraud in the credit card industry. The PCI Data Security Standards address technical and operational systems to keep customer cardholders safe. The goal of these standards is to protect businesses, customers, banks, and all others engaged in the credit industry.
Many business owners find that collecting payment via credit or debit cards benefits both them and the customer. However, they often do not know about these established data security standards, and thus, fail to comply with them.
Below are the 12 PCI Data Security Standards that business owners who accept credit and debit card payments must comply with:
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open public networks.
- Use and regularly update antivirus software or programs.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data on a business need-to-know basis.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security for employees and contractors.
Each of these standards has a number of components to achieve the following goals: protect cardholder data, maintain an effective management system for dealing with such data, establish access control procedures, test networks, and regularly refine such modes of data security. For example, when hackers and cybercriminals attack, their first attempts to break into a system often involve using the default passwords provided by vendors. The second standard was established to prevent this. Businesses are expected to change all default passwords to new strong passwords – passwords with at least 12 characters that are a mix of numbers, letters, and symbols, and are not connected to personal information. By implementing this standard, businesses make it more difficult for security breaches to occur.
In order to comply with these standards, business owners must thoroughly understand how cardholder data is collected and flows through the business. The channels that contain such data should be encrypted to protect consumer information in the company's network of systems. Likewise, business owners must verify that direct public access between the internet and any system components that store cardholder data is avoided. Business owners can protect themselves and cardholders by installing firewall protection on company and employee-owned devices that connect to the internet outside of the company network.
Call a Business Attorney in Westchester County
If you want to satisfy today's consumers and make it easier for people to do business with you by accepting credit and debit card payments, you must comply with the PCI Data Security Standards. We can help you map out the right strategies to protect cardholders' information and develop employee handbooks that explain your processes.