How to Comply With the New Payment Card Industry Data Security Standards
The scanning results are meant to highlight for a merchant its patch management and other security measures that can help thwart Internet hackers.
Why is it important that merchants take the new standards seriously? “If a merchant’s system gets hacked into, the PCI fines are passed through to them by the acquiring bank,” Botelle says. And such fines can be so stiff they may actually put some merchants out of business, he notes.
Moreover, if you can’t or won’t comply with the regulations, the acquirer may stop servicing your business, or it will institute a higher reserve in order to cover your acquirer’s fines and penalties. “The liability can be overwhelming,” Botelle says.
Paul Garcia, vice president of risk management at First National Merchant Solutions, an Omaha, Neb.-based acquiring bank, says the biggest reason to comply is to protect your company’s reputation. “Consumer confidence is shaky, given the recent news of so many [data-security] breaches,” he explains. “Your brand image is on the line if vulnerabilities in your data-security systems are uncovered.”
What steps should merchants take in the compliance process?
- Raise awareness in your company about PCI. “Some companies have not made PCI a priority across their entire enterprises,” Garcia says. “Not everyone has fully embraced it yet.”
- Inventory your hardware, software and payment-processing procedures. This will give you a better understanding of how you can adhere to the PCI standards, says Paige Rivard, manager of client services for First National Merchant Solutions.
- “Enlist the services of a qualified data-security company as soon as possible to help with the auditing and compliance process,” Rivard notes. Ask your acquirer for a list of PCI-program-approved, data-security vendors.
- Most importantly, don’t panic. Botelle advises, “Take a step back and look at your systems through the questionnaire’s eyes. Oftentimes merchants find they need to reinstitute a procedure they once had in place, for example, encrypt credit card data. Sometimes a merchant just needs to redefine a procedure.”