PCI compliance — sounds complicated, right? Here’s the most important thing to know on the topic: if your business accepts major credit cards as payment, you’re required to comply.
Visa, MasterCard, American Express, Discover, and JCB created the Payment Card Industry Data Security Standard in 2004 to improve protection for card issuers by ensuring that merchants meet minimum standards for the storage, processing, and transmission of cardholder data. That means if a merchant can’t demonstrate PCI compliance and a data breach happens, the merchant is liable — not the card issuer.
Why is PCI compliance such a big deal in 2015? With data breaches rocking major corporations like Target, Home Depot, JP Morgan Chase, Neiman Marcus, and Michael’s in 2014, average consumers, government regulators, and finance professionals are more concerned than ever about the safety of cardholder data. Also, on October 1st, 2015, Visa, MasterCard, American Express, and Discover will begin exclusive use of EMV credit card technology, which relies on embedded chips instead of magnetic strips to house data. That will further shift liability for any future breaches to merchants.
What does this mean for small and medium-sized businesses? Consider that the cost of failing to comply with PCI requirements and then suffering a breach can be up to $80,000, including a forensic audit, upgrading credit card machines, bearing the cost of replacement cards that have to be mailed out, complying with data privacy notification laws that vary by state, and other fees and fines. In the wake of last year’s data breach, Target paid out $300 million in regulatory penalties — and spent $1.2 billion to upgrade their equipment.
Of course, that’s an extreme example. But think of those numbers next time you assume that PCI compliance doesn’t apply to your business. Or that you’re already compliant. Or that your existing firewall has you covered. Even if you only process a hundred credit card transactions a month, employ a small staff, and maintain a small number of computers, you’re still vulnerable. In fact, your limited resources might be precisely what attracts a potential hacker, as Todd McCracken of the National Small Business Administration said in Congressional testimony to the House Small Business Committee last week.
It takes an experienced partner to properly meet regulatory requirements. At CMIT Solutions, we can provide:
- Assessment questionnaires to determine your existing level of compliance
- Remote access policies that rely on secure two-factor authentication
- Managed firewall and anti-virus solutions equipped with extra layers of fortification
- Extensive audit procedures that will stand up to rigorous PCI compliance tests
- Staff training and security awareness procedures to empower your employees
- Daily log retention and analysis to satisfy PCI, HIPAA, FINRA, and other industry regulations, many of which overlap
- Strong security configurations that protect your clients’ financial data
Such stringent measures are required because credit card data is so lucrative to cyberattackers — and a breach can be devastating for an ill-prepared business. Industry statistics show that:
- 96% of breached businesses were not PCI compliant
- 98% of attacks originate from elaborate organized-crime groups
- 269 average days pass between network intrusion and detection
- 70% of breached businesses close their doors within one year of an attack
- $80,000 is the average cost of a breach
- And 1 in 6 businesses will suffer a credit card breach in the next 24 months
So what’s your compliance strategy moving forward? Are you ready to take the leap toward making your client data and your business more secure? The good news is you don’t have to understand all the intricacies of PCI — that’s what we’re here for. Contact CMIT Solutions today so we can put our compliance expertise to work for your business.