Data security is serious business, and failing to keep your customers’ data secure is not only bad policy, but can be very expensive in the event of a data breach. Many of you may have heard of the various standards for data protection, for example, for health records we have HIPAA, for online personal data and privacy we have GDPR in the EU, and the CCPA for California residents. For credit card data security we have the Payment Card Industry Data Security Standards (PCI DSS). In this article we’re going to look at a top-level view of the requirements and also address the costs and risks associated with non-compliance.
The PCI Data Security Standards apply across the entire payment ecosystem. It regulates the requirements for taking, handling, storing and transmitting sensitive payment information on all levels from the merchant to the banks and everything in between. The PCI DSS consists of 12 major components across 6 categories:
|Build and Maintain a Secure Network and Systems||1.||Install and maintain a firewall configuration to protect cardholder data|
|2.||Do not use vendor-supplied defaults for system passwords and other security parameters|
|Protect Cardholder Data||3.||Protect stored cardholder data|
|4.||Encrypt transmission of cardholder data across open, public networks|
Maintain a Vulnerability|
|5.||Protect all systems against malware and regularly update anti-virus software or programs|
|6.||Develop and maintain secure systems and applications|
Implement Strong Access|
|7.||Restrict access to cardholder data by business need to know|
|8.||Identify and authenticate access to system components|
|9.||Restrict physical access to cardholder data|
Regularly Monitor and Test|
|10.||Track and monitor all access to network resources and cardholder data|
|11.||Regularly test security systems and processes|
Maintain an Information|
|12.||Maintain a policy that addresses information security for all personnel|
Within each of these categories are additional requirements that are placed on each type of entity. The manner in which you process, store and transmit cardholder data determines the scope to which these standards apply. Any point in your payment process where cardholder data is entered, saved or stored, or transmitted and anything that touches these systems is covered by the PCI DSS, and your business is responsible for maintaining compliance. Meaning that your business should have plans and policies in place to ensure your company and procedures are keeping cardholder data safe in a PCI compliant manner. In addition to building and maintaining these systems, all entities are required to certify their compliance each year. On the merchant level, there is a required annual PCI Self-Assessment Questionnaire (SAQ). This questionnaire is an attestation that the business has the policies and systems in place to be in compliance with the PCI DSS. Additionally, some merchants may be required to complete quarterly network and/or website vulnerability scans. Failure to complete the SAQ or required scans can result in Non-Compliance penalties charged by the processor. This is the first fee that many people will see and can be easily avoided. If you see a non-compliance fee on your month end statements, talk with your representative to see how you can complete the SAQ.
If all of this is sounding complicated and risky, there’s hope. Businesses can reduce the compliance burden and scope by incorporating PCI compliant software and hardware into their payments ecosystem. For example, instead of building your own checkout page, you can utilize a hosted PCI-compliant checkout page (that may already exist within your shopping cart). This means that the sensitive data never touches your website or servers. By outsourcing the hosting of the payment page, you’re removing your website from the scope and reducing your own liability, and easing the compliance burden. However, you have to make sure that you’re using a PCI validated solution and stay on top of monitoring the PCI status of your software. This will likely include applying timely updates, and confirming PCI status with your vendor on an annual basis.
Additionally, if you’re using a countertop device or pin pad attached to a POS system, you can look for a solution that is PCI P2PE validated. P2PE stands for Point-to-Point Encryption.This can help limit the scope of your PCI compliance requirements by bypassing your POS system for sensitive data and ensuring that all sensitive data is properly encrypted and secure throughout the entire transaction process.
So what constitutes a data breach? A data breach occurs when sensitive data is accessed or copied for any reason outside of your legitimate business purposes. This can include an employee skimming card numbers, copying paper authorization forms, or improperly accessing systems and stealing data. It can also include malware, or other software or hardware intrusions that are designed to intercept cardholder data on your website, POS software, internal servers, etc. and transmit it to a malicious 3rd party. When a data breach happens, it’s the merchant’s responsibility to correct the problem, and notify all interested parties. This includes your Merchant Services Provider, the Acquirer, as well as the card brands. The PCI SSC provides a document titled Responding to a Cardholder Data Breach that has helpful information on how to navigate through the process. In addition to notification, the merchant will also need to conduct appropriate audits both internally and using Payment Card Industry Forensic Investigator (PFI) and work to make appropriate changes to their systems quickly and effectively to prevent any further breaches.
When a data breach occurs, there are several costs that come as a result, both direct and indirect. Some of the direct costs associated with a data breach include fines and fees levied by the payment card brands, reimbursement for the cost associated with reissuing compromised card numbers, hardware and software upgrades, conducting audits. Your company may also be liable for fraud that occurred as a result, civil penalties, subject to lawsuits, etc. According to research by IBM and the Ponemon Institute, the average total cost of a data breach in 2020 was $3.86 million.
At this point, if you're a small business, you may be thinking, “I don’t deal with millions of card numbers, how do these numbers apply to me?” according to a survey completed by the software developer AppRiver in 2019, 67% of Small to Medium Businesses (SMB) considered the threat of a data breach to be $25,000 or less, with half of those respondents stating their exposure was under $10,000. But the reality in that same survey, is that the average cost for a data breach for SMB’s in 2019 was $149,000.
According to an article posted by SecurityMetrics on their website they break down some of the potential costs as follows:
- Merchant processor compromise fines: $5,000 – $50,000
- Forensic investigation: $12,000 – $100,000+
- Onsite QSA assessments following the breach: $20,000 – $100,000
- Free credit monitoring for affected individuals: $10-$30/card
- Card re-issuance penalties: $3 – $10 per card
- Breach notification costs: $2,000 – $5,000+
- Technology repairs: $2,000 - $10,000+
- Increased in monthly card processing fees
- Legal fees
- Civil judgments
For many small businesses, a sudden exposure like this would be catastrophic, and your general liability policy likely doesn’t cover cyber liability or data breach coverage, unless you carry a separate policy.
While PCI compliance may seem to some as a nuisance, it’s an unfortunate reality, and as many businesses have moved online or allowed employees to work remotely the risks have only increased and should be taken seriously. Otherwise you may find yourself in the unenviable position of cleaning up after a data breach.
For more information on how to protect yourself from a data breach, here are some additional resources to help in putting together your security policy: