Does your organization already accept debit and credit cards? If the answer is yes, you need to follow the Payment Card Industry Data Security Standard (PCI DSS).
The purpose of PCI DSS is to create an information security standard worldwide for all businesses that process and store credit card and user data for their organization. Every couple of years the process is changed, and the last review was in late 2010.
In a study done by the National Retail Federation (NRF), most businesses stated that they care about the security of their customers and think that keeping their clients’ information safe is good for business. However, less than half of the respondents claim to be PCI compliant. It is no surprise that maintaining an up-to-date security system and securing clients’ information can be costly and time consuming, but a data breach can be detrimental to a business and even cause it to shut down completely.
So what can a business do to protect its customer’s card information?
One of the most important things a business can do to protect a cardholder’s information is encrypt the data from the moment it is swiped at the payment terminal, typed into a keypad, or submitted online. Once the credit card data has been pulled, it should remain encrypted all the way to the processor.
The key to encryption is to make the data practically unusable for thieves if they were to intercept it. Any unencrypted information sent in plain text can be easily intercepted and stolen.
Limit the Cardholder Data Environment
Every place that you store customer data as it relates to credit cards is called the “Cardholder Data Environment” or “CDE” for short. This can be on your computer or in a file cabinet, or any place else. Wherever you store customer credit card data, it must be protected in order to fall under PCI compliance. By limiting the access to CDEs, you can help protect your clients and keep within compliance requirements.
As an add-on to encrypting files, tokenization adds a unique number (token) to a transaction and is stored in a secured central server. The token replaces the credit card number and customer data and allows for further transactions to be referenced and posted using the token, such as returns and recurring transactions. The token itself is a random number assigned to the particular data set and is worthless to outside entities. It only serves as a reference point for prior transactions.
By using tokenization the customer data does not need to be stored locally and adds another level of security because the important information is secured in a central location while the tokens become the “public face” of the transactions.
Finally, an organization that wants to be PCI compliant, but does not have the time or money to invest in it, can work with a third party provider that offers PCI Compliant equipment and payment gateways. By working with an outside PCI compliant payment processor, transactions will be encrypted and assigned a token automatically without any extra work for the merchant. To find a PCI compliant provider, check out our recommended credit card processors.