PCI Compliance – What You Need to Know

Mark Canes

Payment Card Industry (PCI) Compliance refers to a set of standards designed to protect credit cardholder information. These standards apply to any business that stores, processes, or transmits payment cardholder data both online and offline. The specific PCI Data Security Standards (PCI DSS) consist of a list of 12 requirements that vary depending on company size and the quantity of credit card transactions your business handles. This means that it is important to review the different PCI compliance levels on a regular basis to ensure you’re adhering to the correct standards.

The 12 PCI DSS requirements can be summed up into three sections:

Assess Remediate Report
  • Take inventory of your company’s IT assets and business practices for managing payment card processing
  • Analyze these for any vulnerabilities
  • Implement processes and equipment to fix and manage any identified vulnerabilities
  • Gather data and records required by PCI DSS to confirm your company’s remediation
  • Submit compliance reports to the acquiring bank and any global payment brands you work with

 

Failure to validate your business’s compliance according to the correct PCI level, and not following the standards above can lead to fines, penalties and even the termination of your right to accept cards. Aside from the possible legal consequences, failure to adhere to PCI compliance standards puts your company at risk for data theft. Simply put, someone could get a hold of your database and gain full access to information that is unencrypted.

Review Existing Processes

If your company works with cardholder information, it is important to ensure you have a system in place to protect this data. However, it can be hard to overcome some of the challenges associated with this based on your current processes. 

  • Employee habit: staff members may put credit card information in unencrypted fields just out of habit, or because they don’t have easy access to an encrypted database to save the information in. This could include recording information using pen and paper, or tracking information in a spreadsheet. 
  • Data migration: transferring all of the credit card information your company has been storing in unencrypted fields into a secure database can be a time-consuming and tedious data migration process. 

Find PCI Compliant Software

The solution? Assess and change business processes and policies, and ensure you're using PCI Compliant ERP Software. This means your ERP system should have completely separate, encrypted databases for any sensitive cardholder information, and a team of experts who are able to properly help you with the data migration process. Some vendors will also provide integrated credit card processing functionality for handling transactions. This functionality gives you the ability to process credit cards directly from the Accounts Receivable, Record Payments, or Sales Order screens, using a software-based credit card terminal. Integrated processing will save time and money – it reduces card processing time, and eliminates monthly rental fees for terminals – while also improving accuracy by eliminating the need for an external credit card terminal.

(Keep in mind that the software is only a part of the puzzle, albeit a very crucial part - to be fully PCI compliant you need to go beyond just the software.)

Being proactive in making sure your business meets the correct PCI DSS standards each year will save your company time and money dealing with any compliance issues, keep your customers happy knowing their data is safe and help your business remain competitive.