PCI compliance: Protecting your customers and your brand
As a franchise owner, you’re likely already familiar with the growing concerns surrounding credit card information security. Protecting your customers is high on your priority list and, with the emerging threats of information theft, cybersecurity attacks, and compromised storefront security, this is becoming increasingly difficult. The hurdles continue to stack up. So, what measures are in place to help you ensure you’re doing everything you can to protect the security of information being shared under your watch?
A little background
To help companies improve payment account security, the PCI SSC (Payment Card Industry Security Standards Council) put forth PCI compliance — a set of security standards designed to ensure companies accept, process, store, and transmit credit card information in a secure environment. It includes six basic security goals:
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vendor management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
Each of these goals includes a set of specific security requirements to guide business owners on the path to a secure storefront and network environment for credit card payments.
So who does this affect, really?
In a word, everybody. If you store, process, or transmit any credit card information — in-store or online — you must comply. If you accept payments with any card brand anywhere, including PayPal, you must comply. Even if you’re outsourcing your payment systems, the PCI SSC requires you to meet a subset of their compliance standards.
As a franchise owner, it’s important to recognize early on where you stand and the steps you need to take in order to comply. Taking proactive measures to organize and assess your cardholder data environment (CHE) could reveal your vulnerabilities sooner; this means you’re more likely to better understand how you can reduce the chances of a system attack. If you’re able to identify the source(s) of noncompliance, you’ll be able to quickly reduce your exposure.
And there are stiff penalties for noncompliance. Payment brands may fine an acquiring bank $5,000 to $10,000 per month for violations, and banks will likely pass these fines along until they hit the merchant. The bank may even terminate your relationship or increase transaction fees. This could be disastrous, particularly for smaller businesses.
Where should you start?
Meeting the six security goals isn’t the end. In fact, it isn’t even the beginning. Many companies first face the challenge of identifying where to start. Jumping straight into an assessment puts you at risk of assessing at different organizational levels, while foregoing a gap analysis could cause you to underestimate (or overestimate) your preparation in advance of an assessment. It’s critical that you first identify the processes involved — defining the CHD environment and reducing the number of systems, and processes deemed to be in-scope.
As mentioned above, underestimating the scope of PCI compliance measures could be disastrous. You’ll need to consider designating a PCI project manager — an individual (or group) who will be able to look at and manage the transition of people, processes, and technology as you move toward compliance. Everything down to a complete change in company culture may need to be considered as a very real possibility.
To address these concerns head-on, there are a number of actions franchisees could be taking now in preparation for (and during) compliance — and they need look no further than their storefront. First, business owners can consider the placement of card reader devices as a possible point of exposure. Situating them so customers can self-swipe controls the transaction interface, while at the same time eliminating the hazard of merchants handling customer credit cards.
The more you know about behind-the-counter safety precautions and information security practices, the better equipped you are to get in front of attacks.
Business owners can also manage their exposure by enhancing their employee training. Taking the time to raise awareness about information security threats and secure CHD-handling best practices during on-boarding could prevent the likelihood of external security threats. The more you and your staff know about behind-the-counter safety precautions and information security practices (email phishing hazards, password controls, etc.), the better equipped you are to get in front of attacks.
Taking a longer-term view, you might look to establish designated PCI zones in your store. Separating CHD systems from non CHD systems — for example, designating the front counter as a PCI zone, while keeping your accounting systems non-PCI — could greatly reduce your exposure and overall cost for compliance. Data storage under PCI compliance will also require a long-term commitment of time and energy. If you’re storing data now, or at any point before compliance, you’ll be required to maintain data security standards on all cardholder data including legacy data. Thinking about the transition now will ensure you’re prepared when it comes time to assess and migrate your data.
You’re already aware that securing credit card information is critical to your business and your customers. But taking the necessary steps to attain and enforce PCI compliance begins by first understanding why it’s imperative to start now.