Congratulations. It is 2021 and, so far, your business has survived the Great Culling of 2020, the global pandemic of COVID-19
Just as some people found ways to improve themselves while quarantined by learning to bake bread or brew beer, or taking up reading or yoga, some businesses thrived under quarantine protocols. Whether your business thrived or struggled to survive, it is safe to say that the phrase “adapt or die” truly showed its relevance in 2020 — especially for small businesses.
More credit card transactions mean more opportunities for them and more security obligations for you.
If your business is web-based, like Amazon or DoorDash, these may be bonanza times for you. If you run a brick-and-mortar business, then depending on the state you live in, you may have had to modify your business model, at least temporarily, in ways that had never before crossed your mind. Restaurants and auto-parts stores adopted curbside pickup, for instance, or became cash-free environments. Suddenly, you found yourself taking orders and billing information over the telephone.
Regardless, it is great that your business has found a way to make it in this year of the new normal, but survival means new responsibilities because, as you are likely aware, legitimate business owners are not the only ones adapting to this new world; cybercriminals love it. More credit card transactions mean more opportunities for them and more security obligations for you.
You may believe your primary obligation is getting your product to your customer, but in the grand scheme of things, protecting your customers' personal information and cardholder data is more important. While ensuring your customer receives what they paid for is important, hard goods can easily be replaced, whereas a security breach that reveals your customer’s personal information and cardholder data can result in such problems as identity theft, and there is a great chance that your failure to provide adequate protection will result in the permanent loss of that person as a customer in the future.
It is pretty easy to figure out what a customer’s personal information consists of; the obvious elements like name, address, telephone number and date of birth certainly fall under the category of personal information, but what else does cardholder data encompass?
Cardholder data, for the purpose of this article, is the Personal Identifiable Information (PII) that is kept on the magnetic strip found on the back of any credit, debit or ATM card. The cardholder data stored is typically the account number, cardholder name and expiration date, as well as the service code, also known as the CVV or CVV2, depending on the bank issuing the card.
Fortunately, for consumers and merchants alike, there is the Payment Card Industry Security Standards Council, hereafter referred to as the PCI SSC.
The PCI SSC was created in 2006 by American Express, Discover, JCB International, MasterCard and Visa, and its mission is to enhance credit card data security by developing standards, practices and services. Part of this was accomplished with the establishment of the PCI Data Security Standard (PCI DSS).
The PCI DSS lists 12 requirements for a merchant to become PCI-compliant. These requirements range from the basics such as using a proper firewall to protect unauthorized access to the servers that store and transmit your customer’s cardholder data, and not using default passwords provided by any third-party vendors you might use. Additionally, updating anti-virus software, testing your security systems and establishing a policy that addresses information security for employees and any relevant contractors is required.
Whether your business is face-to-face with your customers inserting their credit card into a terminal, or your business is entirely web-based and you never interact with the customer or their credit card information, if you accept any credit or debit card as a means of payment, you have an obligation to be PCI-compliant to some degree.
Failure to be PCI-compliant can be expensive as the penalties levied by the credit card company on the acquiring bank (credit card bank) can range from $5,000 to $100,000 per month, in addition to possible legal action, loss of revenue and the inevitable loss of consumers' trust.
Fortunately, becoming PCI-compliant does not have to be as difficult as it might seem on the surface. You will have to fill out a self-assessment questionnaire and the associated Attestation of Compliance annually, but the technical portion is easy and usually free as most merchant service providers have partnered with certified PCI vendors and assessors.
Jonathan Corona has 15 years of experience in the electronic payments industry. As MobiusPay’s EVP, Corona is primarily responsible for day-to-day operations as well as reviewing and advising merchants on a multitude of compliance standards set forth by the card associations. MobiusPay specializes in merchant accounts in the U.S., EU and Asia. Follow them @MobiusPay on Twitter, Facebook and IG.