Do you accept credit or debit payments at your business? If so, chances are that you need to comply with the Payment Card Industry Data Security Standard (PCI DSS).
PCI DSS establishes minimum data security measures for organizations around the world that hold, process or exchange cardholder information from any of the major card brands. The standards are reviewed every two years, and were most recently revised in October 2010.
According to a study by the National Retail Federation and First Data, 86 percent of small- and mid-sized business respondents said they care about keeping customer card information secure and feel card data security is important to their business. But while most (66 percent) are aware of PCI DSS, only 49 percent had completed a required self-assessment at the time of the survey.
Protecting cardholder data can seem expensive and a bit overwhelming to small business owners, most of whom already wear many hats. However, the financial and reputational costs of a breach can be significant – in some cases jeopardizing your business altogether.
But where to start? Hopefully you already limit physical access to cardholder information and keep anti-virus software up to date. Here are additional ways you can significantly increase data security while managing compliance costs:
Encrypt Sensitive Data
Probably the single most important measure that a business can take to protect cardholder information is to encrypt card data immediately after the card is swiped at the point of sale. The information should stay in an encrypted state while it is transmitted to the payment processor.
This step means the transaction is never transmitted in plain text in the frame relay, dial-up or Internet connection, where the potential exists for interception by fraudsters. If the data does get siphoned off once it is encrypted, it is virtually useless to thieves.
Reduce Your “CDE”
Every computer system, filing cabinet and application that uses or stores sensitive card data, including encrypted data, is part of the overall cardholder data environment (CDE) and within the scope of PCI DSS compliance. In other words, the more places you have data, the more places you need to worry about protecting.
Limit – and even shrink – the scope of your CDE by restricting the use of cardholder data to only those applications directly pertaining to payments (e.g., transaction authentication, daily settlements and chargebacks).
Tokenization is a “layered” complement to encryption. Cardholder data is sent to a centralized and highly secure server (vault) after authorization, and a random unique number (the token) is generated and returned to the business’ systems for use wherever the cardholder data would normally be used.
The token is specific to the card and can still be used to process returns, track spending habits and other business functions, but the number itself has no value for fraudsters. This can dramatically reduce the impact of a potential data breach.
Tokenization can also help reduce the scope of the CDE because there is no cardholder data present. Businesses that replace cardholder data with tokens in all their enterprise applications can significantly reduce the scope of their CDE, and subsequently reduce the scope and cost of PCI DSS compliance and annual assessments/quarterly scans.
Work With a Third Party
Another way to shrink the environment that’s subject to PCI compliance is to hand over the responsibility (and liability) for storing card data to a third-party service provider. For instance, a business can send encrypted card data to the payments processor for authorization, and when the authorized response is returned, a tokenized number is also sent to the business.
This approach layers encryption and tokenization while also shrinking a business’ CDE to the smallest possible footprint: the POS system that holds live, pre-authorization card data.
Raise Your Hand
Businesses have a responsibility to protect their customers’ data, but you don’t have to do it alone. Talk to your payments provider about solutions and experts that can help your business get and stay compliant. Remember, PCI DSS is a minimum standard, and finding the right partner(s) can help you make smart decisions about how to best safeguard your customers – and potentially your business.
I agree that minimizing the amount of sensitive data you’re storing is probably the best solution for most SMBs (especially considering that tokenization might as well be Cantonese as far as most SMB owners know).