Between October 2015 and September 2016 there were over 100 million payment cards in circulation, 97 million of these have contactless capabilities.[1] With these kinds of numbers involved, if you accept debit or credit card payments, you need to ensure your files and systems are secure and your customers’ cardholder data is safe.

When cash payments were starting to take a back seat to card payments, higher levels of security were needed. To do this, Visa International, MasterCard, American Express, Discover, and JCB came together in 2006. Together they formed the Payment Card Industry Security Standards Council (PCI SSC)[2].

Setting the standard

The PCI SSC set out 12 requirements for any business that processes, stores or transmits payment card information. They help ensure that businesses maintain a secure environment and protect cardholder data.

Whether you process one card transaction a year – or a million, the rules are the same.

Build and maintain a secure network

1.Install and maintain a firewall to protect data

2.Don’t use supplier-supplied details for system passwords and other security parameters

Protect cardholder data

3.Protect stored data (use encryption)

4.Ensure you encrypt the sharing of any cardholder data and sensitive information across public networks

Maintain a vulnerability management programme

5.Use and regularly update anti-virus software

6.Make sure you frequently check for updates to maintain secure systems and applications

Implement strong access-control measures

7.Restrict access to any data as much as possible

8.Assign unique IDs to everyone who has computer access

9.Restrict physical access to cardholder data

Regularly monitor and test networks

10.Track and monitor all access to network resources and cardholder data

11.Regularly test security systems and processes

Maintain an information security policy

12.Ensure IT security is an integral part of your risk management strategy

Staying compliant

You must adhere to every one of these requirements, even if your business uses a hosted payment solution (card details are captured on a webpage hosted by a payment provider). And, it’s not a one-off task, it’s a continuous process of checks and validation to ensure you remain compliant.

Depending on the volume of card transactions your business handles, you will have to prove compliance by completing a Self-Assessment Questionnaire (SAQ). Or produce an annual Report of Compliance, alongside a Qualified Security Assessor. You’ll also need an Approved Scanning Vendor to carry out quarterly network scans and annual penetration tests[3]

What happens if I’m not compliant?

It’s really worth investing time in getting this right. If you get it wrong and breach the rules, there are a number of ways your business could be affected:

• You could receive a non-compliance fine. On average this is around £15,000[4] but could be up to hundreds of thousands of pounds. What’s more, fines are issued by the card companies themselves. And, they have the power to penalise your acquiring bank, who will then pass any losses back to you.
• Your acquirer could end your agreement, meaning you can no longer accept credit card payments. That could mean the end of your business.
• Fraudsters could target your systems and use customers’ personal information.
• If your business is identified as a Common Point of Purchase (CPP) for fraud, the Council may bring in a PCI Forensic Investigator. You’ll have to pay for the investigation if you are found to be at fault.
• If you allow your customers’ card data to be accessed, it could damage your reputation. Not to mention seriously affecting customer confidence in the way you operate – especially if they’re left out of pocket.

Take care with contactless and mobile payments

Mobile and contactless payments are now common practice. Customers love the speed and ease when paying for goods and services. But they provide extra challenges when it comes to compliance.

The main mobile providers, have established very secure systems. Android Pay, Apple Pay and Samsung Pay use fingerprint recognition to validate every purchase. However, contactless cards are used without any form of authentication.

The technology used for contactless and mobile payments, is also causing concern. The communication range between a phone/card and the point-of-sale terminal is only a few centimetres. So interception seems unlikely. However, research carried out by Surrey University[5] shows inconspicuous equipment can extend this to 80cm. This makes it easier to intercept customer card details.

What you can do

With payment technology moving so quickly, you need to be vigilant and stay one step ahead of the fraudsters. To do this, pay special attention to password security. Secure remote access, and ensure your firewalls are configured to your organisation’s unique environment[6].

Did you like this blog? Sign up to our newsletter for regular updates.

Sources:
[1] http://uk.creditcards.com/credit-card-news/uk-britain-credit-debit-card-statistics-international.php
[2] https://www.pcicomplianceguide.org/pci-faqs-2
[3] http://www.theukcardsassociation.org.uk/security/PCIDSS_checklist.asp
[4] https://ask.barclaycard.co.uk/business/allfaqs/1_fraud_security/fines_2
[5] https://www.pcicomplianceguide.org/accepting-mobile-payments-pci-compliance/
[6] http://blog.securitymetrics.com/2016/12/takeaways-from-pci-dss-2016-data-breach-trends.html
https://www.itgovernance.co.uk/pci-dss-self-assessment-questionnaire
https://www.pcisecuritystandards.org/documents/PCI-DSS-v3_2-ROC-Reporting-Template.pdf
https://www.pcisecuritystandards.org/assessors_and_solutions/qualified_security_assessors
https://www.pcisecuritystandards.org/assessors_and_solutions/approved_scanning_vendors

Print PDF