These days, even mom and pop companies are being held to payment card industry (PCI) standards.
In December, 2006 The TJX Companies, which operates T.J. Maxx and Marshalls stores, suffered a data breach in which hackers stole data for more than 45 million credit cards. Beyond canceling their own and their employees’ cards, most small businesses assumed the incident would have little effect on them. But they were wrong.
Compliance with data security standards from the Payment Card Industry Security Standards Council -- an independent group formed two years ago by a group of credit-card companies, such as American Express, Discover Financial Services, and VISA International -- has long been a contractual requirement for any company accepting credit card payments. But until recently, few small companies were actually held to the standard. Now, in the face of several high-profile security breaches, credit card companies are requiring compliance from smaller and smaller customers. Security consultants routinely advise clients that every company they do business with should comply with PCI standards. And those who ignore the standard sometimes find they’ve made a costly mistake.
“One small merchant did less than 5,000 credit card transactions a year,” reports Rick Dakin, CEO of Coalfire Systems, a security provider that audits for PCI compliance. The merchant had failed to meet PCI requirements, and suffered a security breach, he says. “Between fines, penalties, and the cost of the forensic investigation, that company wound up paying more than $50,000,” Dakin says.
The principles of compliance
How do you go about achieving and demonstrating compliance? Though larger companies are required to have third-party audits, most small companies can fulfill PCI requirements with a self-audit and attestation that they comply with the guidelines in the standard. Here’s a quick look at the most important of those guidelines:
- Don’t store what you don’t need. In fact, you’re best off if you avoid storing customer’s credit card data altogether. “Often, smaller organizations don’t store credit card data themselves, they just transmit it directly to a third party as it arrives,” says Marc Othersen, senior analyst, Forreseter Research. That model makes PCI compliance much simpler he says, since it eliminates worry about following storage security guidelines.
- Encrypt what you transmit. The data you transmit over public networks, including the Internet and especially wireless must be protected by encryption, the standards say, and not just wired equivalent privacy (WEP), but stronger encryption as well. Othersen recommends layers of encryption, in which not only the transmission is encrypted, but the data itself is divided into smaller chunks and sent in encrypted form.
- Make sure data downstream stays secure. Once you transmit data to a vendor that will actually process payments, it may no longer be in your control. But you’re still responsible for making sure it’s handled securely. That means seeing to it that the vendor is PCI compliant and that your contract not only requires continued compliance but indemnifies you if the vendor suffers a data breach.
- To help determine if a vendor is PCI compliant, the PCI Security Council provides a list of questions to ask about how it handles your customers’ data. It’s worth taking the time to ask them. “Less than 15 percent of processing vendors are compliant,” Dakin says.
- If you do store credit-card data, encrypt and isolate it. “Encrypting data while it’s stored is important,” Othersen says. “If someone steals it, it will be much harder to use.” It’s equally important to limit access to the data only to employees who really need it, and to use logs to record precisely what happens anytime anyone accesses the data.
- Be especially vigilant if you actually handle the card. “Most of our investigations have nothing to do with online fraud,” Dakin says. Instead, investigators spend most of their time on thefts related to point of sales card-swiping devices that can read magnetic-strip data.
The PCI Council recommends against ever storing magnetic strip data, and with good reason. “There’s info on the magnetic strip that’s much more valuable than the name, address, card number, expiration date and (sometimes) security code merchants typically gather over the phone or the Internet,” Dakin says. “The information on the magnetic strip can actually be used to re-create the card itself, and it will appear to be perfectly legitimate.”
Once you’ve got your credit-card data security in place you can probably show compliance by filling out one of the PCI Security Council’s Self Assessment Questionnaires and Attestations of Compliance. Which questionnaire you complete depends on whether you actually take imprints of cards, whether you store, or simply transmit data, how that data is sent, and a variety of other factors. Detailed instructions, as well as the questionnaires themselves, can be found on the council's website.
Filling out the assessment may be lengthy -- one version is 37 pages long. But it provides a road map for making sure you become compliant and stay that way. And, these days, you can’t afford not to be.