Advice for businesses taking credit card payments
This article was first published in Grow Magazine
It’s 2019. Cash is dying and virtually all businesses and organisations accept payments via credit or debit card. These days, customers expect to be able to pay by plastic (or phone) anywhere and everywhere.
But there are a few things that you need to know if you’re one of these businesses that store, process or transmit card data…
1) A breach could cost you more than money
Your customers’ cardholder data needs to be protected. Otherwise, the impact on your reputation – let alone any potential fines from the bank or the ICO (Information Commissioner’s Office) – could be catastrophic.
2) PCI DSS compliance is mandatory
That’s right. If you store, process or transmit cardholder data, you must be compliant with the Payment Card Industry Data Security Standard (PCI DSS). If you’re non-compliant, you may have to pay a penalty for every single transaction until you comply.
3) It doesn’t matter how many transactions you handle
For some reason, we hear a lot of businesses saying it’s not relevant to them because they handle fewer than 20,000 transactions per year. Unfortunately, this is not the case. The requirements do change, but if you accept card payments, PCI DSS still applies.
4) Outsourcing your processing doesn’t stop it from being your problem
Even with a 3rd party payment provider, you still have responsibilities. You must check that they’re compliant, and ensure that your end is secure too. Regular penetration tests and vulnerability scans are advised, along with robust processes and policies.
5) All cardholder data should be transmitted securely (if at all)
Cardholder data should not be transmitted via unsecure communications. Think email is secure? Think again. With the added risk of sending cardholder data to the wrong recipient, this should never be considered an option.
6) PCI DSS doesn’t just apply to ecommerce websites
You might not take payments online, but you still have to be PCI DSS compliant. In fact, POS devices and telephone payments often come with increased risk, because sometimes these payments involve the storage of additional cardholder data.
7) PCI DSS applies to all stored card data – not just new transactions
Often, when we first start helping businesses with their PCI DSS compliance, they assume the requirements are only relevant to present and future transactions. This is not the case. PCI DSS applies to both current and past cardholder data.
8) PCI DSS compliance means meeting 100% of the relevant requirements
Some businesses think that meeting some – or even most – of the relevant requirements means they are PCI DSS compliant. This is not true. You have to meet 100% of the requirements relevant to your environment to be compliant.
Got any questions? Need some support in achieving PCI DSS compliance? Didn’t realise it even applies to you? Don’t worry – we’re here and happy to help. Get in touch for an obligation-free chat with one of our specialists!