by Clive Kahn, chief executive, Cardsave
In an increasingly paperless world, electronic data security has moved quickly up the public agenda. Almost every business now holds confidential customer information, creating enormous potential for data breaches, which can cost customer relationships, damage reputations, and incur hefty fines.
Businesses that take payment by card are especially vulnerable, and as a result, major players in the card payment industry have developed a set of regulations designed to protect both customers and merchants.
The payment card industry data security standard (PCI for short) regulates the payment card data security process. PCI, first introduced in 2006, provides merchants with guidelines on how to prevent, detect and react to security breaches.
PCI compliance is designed to provide merchants’ customers with the comfort that their data is protected.
In 2011 a survey revealed that PCI compliant businesses are less likely to experience data breaches. However, it also showed that 85% of businesses experienced a data breach in 2011.
While the industry has run high-profile campaigns to educate businesses as to the requirements, some, particularly SMEs, still find PCI compliance difficult to understand.
Many of the letters of explanation sent by card services providers are full of incomprehensible jargon and make compliance seem complicated, when in fact, it is very straightforward.
Why PCI compliance?
Quite simply, merchants need to understand that every time they take a card payment, personal data is captured and processed. This could be subject to fraud if not held securely, which can be costly for both the business and its customers.
What’s more, PCI applies to every merchant that takes card payments, whether that is an independent convenience store or a company selling its wares online.
How to become compliant
Many merchants avoid PCI compliance due to the perceived time and expense it entails.
In reality, becoming compliant can be very easy. Merchants need to demonstrate their compliance by being certified by an independent Quality Security Assessor (QSA), and this certification should be renewed annually.
Online businesses may also be asked to undergo a vulnerability scan. This requires them to log into a website which will assess whether there are any holes in their security that need resolving. The length of time taken to achieve compliance will vary according to the number of security threats revealed by the scan.
How much will it cost?
Charges are difficult to predict. They depend on factors including business type, the number of annually processed transactions and existing IT infrastructure. Online and telephone order merchants can generally expect to pay more than face-to-face retailers.
How do I prepare my business?
Traders can also ease the process of compliance by ensuring basic security is in place when handling card transactions. They should, for example, use regularly updated anti-virus software, train their staff on security issues and properly secure any media that holds personal data.
What if I don’t comply?
If businesses avoid PCI, the cost, in terms of time and money, could be detrimental. Merchants breaching data security face significant fines, extensive legal fees and long-term damage to the reputation of their business. And, while PCI DSS is not a legal requirement, non-compliant businesses can have the right to handle card transactions withdrawn.
Small businesses shouldn’t feel alone in PCI compliance. Seeking out a card services provider that will help with the administration is a valuable first step.
The best will provide support, taking merchants through the set-up process, and will work hard to minimise costs. It is important remember that PCI is no longer a choice. Large businesses might recover from the effects of a security breach, but for SMEs and start-ups, the consequences can be crippling.