If a customer ever uses a credit card to make payment to your business, then you’re responsible for ensuring data practices are PCI security compliant. PCI DDS, or the Payment Card Industry Data Security Standards, is a set of rules that govern how businesses can store, retrieve and use credit card information. Set up to protect consumers from credit card fraud, PCI compliance regulations can cause huge fines for businesses that don’t do their part.
Varying PCI Requirements
Specific PCI requirements depend on how your business accepts credit card payments and which merchant services you use. Businesses fall into different categories, including:
Ecommerce companies that never have a physical card on site
Imprint only merchants that do not use swipe machines
Merchants with web-based payment applications through certified vendors
Any merchants not covered in the above three categories
Electronic Credit Card Data
Companies that store credit card information for repeat payments or orders must comply with PCI security requirements regarding software and encryption. In most cases, a stored credit card number must be encrypted so that, following the first entry, employees at the company will only ever be able to view the last four digits of the card. This protects customer financial information from outside hackers and malware as well as theft of credit card information from inside sources.
Many companies don’t have the technical resources, time, or desire to develop PCI compliant systems in house. There are a number of certified vendors that offer PCI-compliant web portals or software programs. Though the vendor does the legwork to provide PCI security, it’s important to remember that your company is ultimately responsible for compliance. Protect your business from fines and PCI audit troubles by selecting your vendors carefully.
Hard Copy Credit Card Data
Although the proliferation of mobile payment solutions is cutting down on paper use, companies must still be vigilant about hard-copy credit card data. Train employees to record data on paper only when absolutely necessary. Credit card information should never be left in the open. Your company must have a well-documented process for dealing with such data that ends with the information being destroyed or shredded in a controlled environment once it’s no longer needed.