If your business takes credit cards, it’s vital that it’s compliant with the Payment Card Industry Data Security Standard (PCI DSS), which is designed to protect and secure stored, processed and transmitted Primary Account Numbers (PANS) and credit card holder information.
Failure to comply not only runs the risk of credit card fraud and theft, but it can also incur substantial fines for a business. Add to this a lack of customer confidence in the event that anything does go wrong, and it’s easy to see how seriously a breach can affect a business.
Bearing this in mind, we’ve put together some common misconceptions that surround PCI DSS to help you choose wisely when it comes to choosing a cloud vendor.
#1: PCI compliance is a guideline and not a necessity
Untrue. PCI DSS compliance is mandatory and applies to all businesses that store, process and transmit customer credit card information. The size of the business is not any indication whether it should be compliant or not, every company that processes sensitive credit card information has to be compliant by law.
Whilst smaller enterprises that process less than 20 thousand transactions a year may not be required to seek validation, they must remain compliant nonetheless.
#2: Not storing credit card information means you don’t have to be PCI compliant
False. PCI DSS applies to processing and transmitting credit card information, regardless of whether you store that information or not. This means that data that’s transmitted over networks, faxes, phone lines or data transfer services (including cloud) must be compliant.
There’s no getting around the rules, they are there to protect the customer and as such, are watertight. Where you’re using a third party to process credit cards, such as PayPal, the risk is then transferred to them. However, it pays to make sure that any third party used is compliant before using its services.
This is because although the risk may be transferred, a customer must first be transferred to the third party’s servers entirely, meaning that, if for example, you use an API on your website, you are still liable, as your servers are initially capturing the information.
#3: I’m an SMB, nobody will notice if I’m not compliant
Small companies may not attract as much attention as larger organisations, but this doesn’t mean it’s OK to be complacent. Whilst immediate fines are usually only implemented on those who process in excess of 1m transactions per annum, if your business suffers a breach then you will have to pay for chargebacks to affected cards, and you may have the ability to process credit cards suspended.
It could also mean that you are escalated onto a higher compliance tier, which will dramatically increase operating costs. Add to that the loss in customer confidence and damage to your brand and you could do your business serious harm.
#4: I don’t take online payments so I don’t need to be compliant
Afraid it’s not that simple. Any business that takes credit card transactions has to be PCI DSS compliant, even if payments are taken through a retail POS or mail order. If you process, store or transmit any credit card information then you must be compliant.
In fact, POS transactions often involve the storage of track data which is not allowed under PCI, so it’s worth checking practices thoroughly before making assumptions.
#5: PCI Compliance is only carried out in the IT department
Whilst the IT department may oversee PCI compliance, it’s not a one-time implementation and requires ongoing quarterly assessment and reporting and employees at every level should be made aware of its effect on the business. For example, it’s doubtful that the IT department will be processing all payments, so how data is stored and transmitted should apply to everyone that deals with credit cards.
This means that in order to ensure PCI is met, a company should have strong policies and procedures in place to deal with card payments, which all employees should be made aware of. This, along with choosing a PCI compliant vendor where applicable, should ensure that your business operates within the standards.
The online criminal underworld is a complex and constantly growing one, which is always coming up with new ideas to capture credit card information. PCI DSS exists to ensure that businesses do everything they can to protect customers and reduce credit card fraud.
So, can your organisation afford to ignore PCI?
Maytech’s secure file transfer platform is fully PCI compliant and tested daily by McAfee SECURE against 40,000+ vulnerabilities to ensure your environment remains accredited at all times. Updated reports can be sent automatically to you every day.
To discuss your PCI data transfer requirements feel free to contact us.