Guest post by Ray Moorman, Director of Product Management, Vantiv Integrated Payments (formerly Mercury Payment Systems)
Why should PCI compliance and security be a top priority?
Despite the ongoing advances in point-of-sale systems and technologies, data breaches remain a very real threat to the average small and medium sized business (SMB). That’s because SMB owners often place their full trust in the technology solution to protect them. In reality, all businesses must understand and adhere to the PCI Data Security Standard in order to be fully secure.
As a business accepting credit card payments, if PCI compliance is not on your mind, it should be. Here are three questions to ask yourself:
Data breaches affecting big name brands make the news, but 80 percent of data breaches actually target small businesses. The fallout of a breach can be devastating: According to recent research by Vantiv, 60 percent of small businesses close within six months following a data breach. Still, three out of four SMB merchants do not believe they are at risk—and that misperception makes them more vulnerable. SMB merchants are considered low-hanging fruit by hackers because they usually have few IT resources to protect themselves.
It’s important to understand the full scope of PCI compliance and how it applies to your business. The majority of issues arise from a lack of education, so the more you know about your compliance responsibilities, the more you will understand how it affects your day-to-day operations. Merchants tend to think of compliance as a quarterly or annual process, when it is actually an ongoing responsibility.
What you don’t know can hurt you. If you outsource your IT operations, you should not assume everything is taken care of. Over 60 percent of investigations that identified a security deficiency easily exploited by hackers, revealed a third party was responsible for system support, development or maintenance.
Here are some questions to ask your vendors and service providers:
- Are you a QIR (Qualified Integrator and Reseller) company? (QIR companies have demonstrated their knowledge and commitment to compliance and security.)
- Are the POS systems you sell PA-DSS validated? Has your recommended payment processor validated their PCI compliance? (Like merchants, service providers are also required to comply with the PCI DSS.)
- Do you have an incident response plan in the event of breach, and what is your notification process?
- Do you adhere to all of the PCI DSS requirements around remote access?
- Do you maintain a written agreement outlining which compliance requirements you will manage for our business?
Merchants have some basic responsibilities for PCI compliance and can take practical steps on their own to help reduce their risk. Here are five steps Vantiv Integrated Payments recommends:
- Perform external network vulnerability scans at least once per quarter to monitor internet-facing IP addresses.
- Always secure cardholder data by monitoring access to the network and wireless access points.
- Develop and document security policies and procedures.
- Institute employee training and awareness surrounding the importance of processing cards securely and protecting your business computing network.
- Secure passwords; no employees should share a password and default passwords should never be left in place.
Card data security is multi-faceted and can be confusing to even the most sophisticated merchant. The PCI DSS emphasizes security as a shared responsibility between merchants and their service providers—and asking questions is a good starting point. Find out what steps your POS provider has taken to secure your system. And, make security best practices a part of your day-to-day business operations.
Ray Moorman is Director of Product Management at Vantiv Integrated Payments (formerly Mercury Payment Systems), where he focuses on EMV solutions. Ray has more than a decade of experience in the payments industry and has served in various positions including operations, acquisition integration and product.