When Gala Technology ask small and medium sized enterprises (SME) whether they are aware of their obligations to meet with the Payment Cards Industry Data Security Standards (PCI DSS) when processing cards payments, we are often met with the response of ‘I’ve heard of it, but don’t really know what it is’
This short blog will hopefully give you a better understanding of what it is and what your business should be doing to protect your organisation, your employees, your customers, and your reputation.
1. Understand what PCI Compliance is.
PCI DSS is an acronym which stands for the Payment Card Industry Data Security Standard
PCI DSS is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment. Simply put, it means that you have an obligation to ensure that sensitive card data is looked after.
These standards were developed by the PCI Security Standards Council (PCI SSC), an organisation founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa International, to facilitate industry-wide adoption of consistent data security measures on a global basis.
2. Does PCI DSS apply to me? We are only a small business.
The PCI DSS applies to ANY organization, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. If you process one card payment a year, then PCI DSS applies to you, and it is a contractual obligation between the business and your acquiring partner.
3. Don’t ignore PCI DSS. If you do, it is likely to be costing you money.
Typically, a small business will need to evidence that they are PCI DSS compliant annually and failure to do so is likely to incur ‘non-compliant’ fees being applied to your merchant account, which could be costing you hundreds or thousands of pounds a year. We appreciate, PCI DSS compliance can seem daunting and is littered with jargon, but actually there are some really smart and easy wins to help evidence compliance. Limiting or keeping card data outside of your business environment can be a great place to start.
4. What happens if I am not PCI DSS compliant?
If you are not PCI DSS compliant, then you are essentially in breach of contract with your acquiring partner, which can lead to ‘non-compliant’ fees being added to your merchant account, thus costing you more to process your transactions. In some cases, the acquirer may remove or suspend your merchant account.
Another risk is that you are subject to a data-breach. SME’s can face hefty penalties if they suffer a security breach and are found to be non-compliant with the PCI DSS. Fines for a small merchant are, on average, around £15,000, which excludes the costs of any forensic investigations or the cost of reissuing compromised payment cards and covering the cost of fraud.
Oh, and that is before the ICO potentially get involved under GDPR. Hardly great PR for the business, is it?
5. Where does my small business start with PCI DSS?
The first thing to do is to understand which channels you wish to take card payments. Is it face to face via a card machine, via the internet, through a website payment gateway, over the telephone or a mixture of them all?
You can then look to implement a strategy (perhaps alongside your acquirer) to ensure the PCI DSS requirements are met. This may include outsourcing some of the requirements to a third-party-service-provider (TPSP), such as Gala Technology.
6. Educate your team about PCI DSS.
Any compliance strategy fails if employees are not involved in its application. It is no good if the managing director is adhering to the requirements of PCI DSS, if the sales team are not.
Companies must ensure that everyone working with sensitive card data is aware of PCI DSS requirements, it’s importance, and how they can support and ensure compliance to protect themselves, the business and the customer against data breaches and fraud.
7. Do you really need to store the card data?
PAN stands for Primary Account Number (which is the long number on the front of a card), and it is a key piece of cardholder data you are obligated to protect under the PCI DSS. Storing customers’ full PAN data exponentially increases your business’s security risk and, consequently, it’s scope of compliance. Therefore, if you don’t have a business reason to store PAN data, then don’t store it!
If you are storing card data, then you might want to consider tokenisation. Further details can be found here.
(SAD), Sensitive authentication data – the three digits on the back of the card on the other hand, should never be stored by merchants.
If you are writing down card information, we would suggest you stop, now!
8. Restrict the amount of card data in your business environment.
One of the best ways to evidence PCI DSS compliance is by working with third-party-service-providers to reduce the exposure of card data within your business environment. For example, you can select a payment gateway, which tokenises the card data, so the business cannot access the raw details.
Another example would be to use a pay by link to accept telephone payments, so the cardholder remains in control of their sensitive data. Rather than asking them to read out their card number (which triggers PCI DSS) you can send them an email, SMS or electronic invoice for them to complete at their leisure.
Please note that working with a TPSP, does not mean that your business can ignore PCI DSS directly. It is your responsibility to ensure that the TPSP is compliant themselves and evidence this to your acquiring partner.
For further information about PCI DSS, you can visit our extensive guide here and should you require more advice, please reach out to our team.