At BCS ProSoft, we take PCI Compliance and Data Security very seriously. We have worked hard to insure that our Automated Rental Management (ARM) software includes the security encryption that meets or exceeds the PCI DSS standards for software, but there is still work that you must do. I cannot stress this strongly enough – failure to comply puts your business at serious risk and yet most small business owners are only vaguely aware of the potential danger of not being compliant. Below is a list of several of the most common questions.
- What is PCI DSS Compliance?
The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide information security standard defined by the Payment Card Industry Security Standards Council. The standard was created to help payment card industry organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise. The standard applies to ALL organizations that hold, process, or exchange cardholder information from any card branded with the logo of one of the card brands. - How Does PCI DSS Compliance affect me?
PCI DSS Security Standards were set forth by the card issuing associations in order to protect cardholder information and to help prevent credit card fraud, hacking, and other security issues. The PCI standards mainly focus on the encryption, storage, and transfer of this sensitive data while in a merchant’s possession. If your business experiences a breach of card holder data while not compliant with these standards, you may be fined by the associations up to $500,000 for the initial investigation as well as a fee per record that is compromised. What can’t be assessed is the damage to your business’s reputation due to loss of consumer confidence. - Isn’t PCI Compliance for larger merchants?
The truth is, PCI DSS Compliance is now a reality for ALL merchants regardless of size. Depending on the type of business and how the transactions are ran, level 1-3 merchants (annual POS transactions over 1 million) may have some additional requirements, but level 4 merchants (annual POS transactions under 1 million) are actually the most targeted by hackers and thieves. According to recent data, 80% of payment card compromises since 2005 affected Level 4 merchants. The penalties and fines can be excessive depending on the amount of information that is compromised and have put some merchants completely out of business. - What is Cardholder data?
Cardholder data refers to all information from a credit card or debit card that is used in a transaction. Commonly used elements of cardholder data include the Primary Account Number (PAN), Cardholder Name and Expiration Date displayed on the front of the card. All these elements, and more besides, are digitally stored on the magnetic stripe at the back of the card. - What is Sensitive Authentication Data?
Sensitive Authentication Data is security related information used to authenticate cardholders and authorize card transactions. Sensitive Authentication Data elements include Magnetic Stripe data and the Card Validation Code – the three or four digit number security code found either on the front or on the back of a card (a.k.a. CVV, CVV2) - Which elements of the Sensitive Authentication Data can be stored?
None. You cannot store Sensitive Authentication Data elements at all, even if encrypted, subsequent to the authorization of a transaction. - What Should I be doing to eliminate risk?
The Better Business Bureau has developed an excellent Check List that you should follow. Click here to go to the list. - Who should I talk to if I have doubts or want to insure compliance?
If you are in doubt on any of the issues related to PCI DSS your primary source of information is your merchant bank.
Other Resources
PCI security standards council
https://www.pcisecuritystandards.org
Supporting documents
https://www.pcisecuritystandards.org/tech/supporting_documents.htm
PCI DSS FAQS and myths
http://www.pcicomplianceguide.org/pcifaqs.php
PCI Checklist from the Better Business Bureau
http://www.bbb.org/data-security/becoming-pci-compliant/checklists/