More than likely if you've interacted with one of our staff, you've probably heard us talk about PCI Compliance, and you may have wondered, "What is it?" and, "Why do they seem to think it's so important?" The truth is that, yes it is important, but it's important to understand how it applies to you.
PCI stands for "Payment Card Industry". However, when we talk about PCI, what we are actually referring to the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS is a set of rules and regulations that cover nearly every aspect of data security and integrity relating to consumer credit card data. It is massive, worded in sometimes confusing ways, and a lot of it doesn't directly apply to merchants. But the part that does relate to merchants can put you in hot water if you're not in compliance.
To simplify, let's cover a few key factors that can help keep you in compliance.
1. Change default passwords
When you purchase new computers or network equipment, the first thing you should do is set a secure password. By not changing default login information, you leave your system vulnerable to attacks or the placement of malicious software that can steal transaction data. Think of changing your passwords as closing the windows and back doors to keep the pests out.
2. Restrict access to sensitive information
Customers credit card data should always be restricted on a "need to know" basis. Only employees who are trustworthy and directly involved should have access to credit card data. Small data breaches are often caused by dishonest employees, by restricting access, it minimizes the risk of someone taking that information and using it for fraudulent purposes.
3. Always use PCI compliant vendors
When purchasing a terminal, setting up an online shopping cart software or using a virtual terminal, always check to verify the machine/software is PCI compliant. If any of your software, hardware or 3rd party service providers that handle credit card data are not PCI compliant, you are also not PCI compliant.
4. Whenever possible, do not store consumer credit card data
Whenever you hold customer credit card data, you are putting yourself at risk of a data breach. If you must keep a paper copy, keep them in a locked cabinet with restricted access. If you need to keep cards on file, a better solution may be to use a PCI compliant online gateway. While there is a monthly service fee, these vendors hold the liability for any fraud in the event that their system is breached; saving you the headache and the cost.
5. Complete your annual SAQ
The SAQ is the main reason merchants are charged a "PCI Noncompliance Fee". For most small merchants, it can be completed in 10-15 minutes, and a completed SAQ is valid for 1 year. Agapay is always happy to help our merchants navigate the questions, just give us a call if you need help logging in or completing the questionnaire.
While this list is not exhaustive, it gives you a few simple things you can do to be in compliance. If you have any questions feel free to call us at 1 (800) 644-3909 or email us at [email protected]
The Agapay Team