3 min read

How to Ensure Your Business is PCI Compliant

Featured Image

Whether you do business online or in the 'real world', you need to be aware of the Payment Card Industry Data Security Standard (PCI DSS). This is a set of rules designed to protect both you and your customers when accepting payments. 

You may think that because you sub-contract the taking of money to a popular payment gateway, this doesn't affect you, but you are still expected to take PCI DSS compliance seriously. If you don't, you could face financial penalties, but perhaps far worse is the potential for reputational damage and loss of business in the event of an incident. 

Becoming Compliant

So, how do you make sure that your business is PCI DSS compliant? Key to doing this is recognising where the risks lie and what you can do to minimise them. There's no single set of boxes to tick here; you need to be aware of how your business works when it comes to payments and you need to take steps accordingly.

This might mean, in a physical environment, destroying any credit card receipts that might contain customer details, for example. It also means ensuring that the software on any payment processing machines is kept up to date and that merchant copies of transaction receipts are kept locked away.

In an online business, you need to make sure that strong passwords (or better still two-factor authentication) are used to log in. This applies even if you are using a third party, such as PayPal, to take payments. Make sure that your internal systems are kept up to date and have current anti-virus software installed. In choosing a payments provider, you should also check to see that their systems are PCI DSS compliant.

Some payment providers will offer help and advice to ensure that your business is compliant with the legislation but do not be fooled this is the responsibility of your business alone. If you take a logical approach, it shouldn't be an onerous process. Remember, however, that the technology and business world isn't static. You need to carry out a review on a regular basis to ensure that there haven't been any changes to your systems or procedures that would cause your compliance to lapse.


Breach Planning

Stock image: Fraudster with credit cardIn 2018, cybercriminals compromised more than 2.8 billion customer data records, costing over $600 billion in the US alone. [1] Many of these records were exposed in high-profile breaches such as that at British Airways. Just because you're a smaller company it doesn't mean that you're immune to the threats.

Indeed cybercriminals often choose to target smaller organisations which can't afford to spend as much on security precautions because they are seen as softer targets. In fact, around 43 per cent of breaches occur in smaller businesses. [2]

With data breaches, as with any security issue, while you don't want the worst to happen, you need to plan for what might happen if it does. 

We've already discussed at a high level what you need to do to be PCI DSS compliant and this is also a first step to being ready for a breach. Making sure that your systems are up to date and regularly reviewed helps to minimise the risks. You will also need a written information security policy and will be expected to ensure that all of your employees are aware of it and have a copy. Training for staff in the importance of taking care of customer and payment data is vital too.

In the event that you do suffer a breach, you don't want to be in panic mode, rushing around to try and work out what has happened and what data has been exposed. You need to have a plan. A PCI breach risk management plan should start with all the things we've already covered; an overview of systems, training requirements, policy, and so forth. It should also cover what needs to happen after a breach, which authorities need to be notified, what you need to tell your customers and how you are going to do that.

Many businesses are now also considering taking out cyber risk insurance. Obviously, this doesn't prevent an attack but it can help you to cover the costs of dealing with one and therefore help to mitigate the financial ramifications for your business. 

The world of cybersecurity is a constantly changing one. Legislation is evolving too, with many countries introducing their own privacy laws. It's crucial to recognise that this isn't an area that stands still and is something you need to keep under review to ensure that you are prepared for new threats and new compliance requirements. 

The costs of a data breach, both financially and in wider terms can be severe, but being prepared and planning ahead can help you to minimise the risk of falling victim. And if you are unlucky enough to experience a breach, the same investment in compliance can help you to manage the effects and get back to normal as soon as possible.

[1] https://www.securitymagazine.com/articles/90320-data-breaches-cost-654-billion-in-2018

[2] https://enterprise.verizon.com/resources/reports/2019/2019-data-breach-investigations-report.pdf