How to ensure your credit card systems are PCI compliant Featured

8:01pm EDT December 31, 2010
How to ensure your credit card systems are PCI compliant

As fears of identity theft and online privacy concerns increase, PCI compliance has become a vital priority to any company that deals with credit card information. If you allow customers to pay with a credit card, you have to pay attention to the regulations and stay compliant. The consequences are severe: Just one data breach can wreck your company’s finances and reputation in one fell swoop.

“Everyone is bound by PCI compliance,” says Zack Schuler, founder and CEO of Cal Net Technology Group. “It doesn’t matter if you are a small, ‘mom and pop’ hardware store or a national retail chain; if you accept credit cards, you have to adhere to the rules.”

Smart Business spoke with Schuler about what business owners need to know about PCI compliance, and how to ensure your business isn’t breaking any rules.

What is PCI compliance?

PCI compliance is a standard that has been required by the credit card companies that defines the way that anyone who accepts a credit card has to protect that card information. It is a very specific standard that outlines all of the data protection requirements, as well as the physical security requirements and all types of other issues as they relate to security, with the end goal of making sure the card information is protected.

Regardless of whether you are a small, one-location business or a national retail chain, everybody is bound by the rules of PCI compliance.

Why is it important for companies to be compliant?

The first reason it is important is because if your systems are hacked, and you are PCI compliant, the chances of the intruder being able to get to some of your protected credit card information is quite slim. If you follow the security protocols outlined in the compliance standard, you should be all right.

Now, if you are not following the rules in terms of protecting that credit card data, you probably won’t be as lucky. For example, if your point of sale system that collects credit card information does not encrypt the swipe data, then that POS system is more easily compromised and hackers would be able to take all of that data.

What will happen in that situation is the credit card companies will be able to link the breach to you, because they have very sophisticated software programs that track where the breach happened, and narrow it down to a single location at which a credit card was used. When they collect all the different cards that were part of the breach, and they see that all the cards had one thing in common — this particular location on this particular day — you’re in trouble.

What type of trouble is possible in the event of a breach?

‘Trouble’ involves being fined by the credit card companies. There are different levels of PCI compliance to which companies must adhere. The compliance goes from level 1 to level 5. A small mom and pop store will be at level 5, because they are not collecting a ton of credit card information. A national retail chain or eBay will be at level 1.

However, if your company is at level 3 and the company is subsequently hacked, you immediately have to build up to the security protocols of a level 1 company. And the necessary work to put in those most stringent security protocols is astronomically expensive.

Why should companies pay attention to this issue sooner rather than later?

Cyber crime is on the rise. On a go-forward basis, it is just going to keep becoming more of an issue. More and more companies are getting hacked. That is the reality. There are hacking toolkits out there that make it easy to hack companies. More and more companies are having their credit card information stolen from them. If your company is taking credit cards, it’s your job to protect the consumer and not share that information with anyone else. If you are hacked, the credit card company will find out about it and it will be expensive.

Also, if you don’t comply with what the credit card companies are asking of you, they will make it so you can’t take credit cards anymore.

How does a company know what level of compliance it must reach?

Anyone who accepts credit cards has received a self-assessment questionnaire from the credit card company. The credit card companies will tell you, based on volume and other various factors, what compliance requirements are necessary for you.

What steps should be taken to ensure compliance?

The first and best step is to hire a company that understands PCI compliance to come in and assess your computing environment to determine if you are in or out of compliance. If you are out of compliance, an assessment will help you determine what steps are necessary to regain compliance.

Next, going through that self-assessment questionnaire on your own or with your information technology team, because a lot of the questions are IT-related, will give you a good idea of your current compliance status.

If you’re going through the questionnaire and it asks a bunch of technical questions like ‘Do you have a firewall in place that segregates your network traffic?’ and you keep answering no, it is probably pretty likely that you have some work to do. The questionnaire can provide a good indicator of whether your company is compliant or not.

Zack Schuler is the founder and CEO of Cal Net Technology Group. Reach him at ZSchuler@CalNetTech.com.