PCI DSS compliance: what it is and why businesses should care
Even in Bermuda, credit card information held by local businesses large and small is susceptible to theft by computer hackers. Hackers are able to exploit security weaknesses in order to gain access to customers’ credit card information. Stolen information can then be sold on the internet and/or used to make fake credit cards for fraudulent transactions.To reduce the risk of credit card fraud, the Payment Card Industry Data Security Standard (PCI DSS) was established by founding card brands, Visa® International, MasterCard® WorldWide, American Express, Discover Network and JCB. The Standard provides a set of information pertaining to security requirements that must be adhered to by every business or entity that transmits, processes and stores payment card data.There are 12 requirements that fall into six categories:1. Build and maintain a secure network: Install and maintain a firewall and use unique, high-security passwords with special care to replace default passwords.2. Protect cardholder data: Whenever possible, do not store cardholder data. Cardholder data is the full magnetic stripe or the Primary Account Number plus any of the following information: cardholder name; expiration date; and service code. You must also encrypt any data passed across public networks, including your shopping cart and web-hosting providers.3. Maintain a vulnerability management programme: Use antivirus software and keep it up to date. Develop and maintain secure operating systems and payment applications. Ensure the applications you use are compliant.4. Implement strong access control measures: Access, both electronic and physical, to cardholder data should be on a “need-to-know” basis. Ensure that people with access use a unique ID and password. Do not share logon information.5. Regularly monitor and test networks: Track and monitor all access to networks and cardholder data. Ensure you have a regular testing schedule for security systems and processes: firewalls; patches; and antivirus.6. Maintain an information security policy: It’s critical that your organisation have a resource overseeing how data security is handled within your business. Ensure you have a policy and that it’s disseminated and updated regularly.PCI DSS is an obligation enforced by banks that establish merchant services agreements with organisations that accept credit cards as a form of payment.All merchants are classified into one of four merchant levels based on transaction volume over a 12-month period and have different validation requirements. Many businesses in Bermuda are considered Level 4. Visa International classifies Level 4 as any merchant processing fewer than 20,000 e-commerce Visa transactions per year and all other merchants — regardless of acceptance channel processing up to 1 million Visa transactions per annum. The validation requirements include a recommended Self Assessment Questionniare (SAQ), a quarterly network scan by an ASV, or compliance requirements set by the Acquirer (i.e., the merchant’s bank). Level 4 entities are attractive to cyber criminals, as most are focused on the daily business environment and have few IT resources to help ensure that their systems are secure.Non-compliance with PCI DSS by a company that takes card payments can literally put that organisation out of business. If a security breach occurs, the company will be liable for the cost of the required forensic investigations, fraudulent purchases, and the cost of reissuing cards. Based on the latest Global Security Report provided by Trustwave, one of the world’s leaders in risk management, targeted attacks cost businesses an average of $200,000 depending on the intensity of the compromise.To help merchants manage these risks, Butterfield has partnered with Trustwave to provide assessments and tools that will enable merchants to secure their business information and ensure compliance with PCI DSS. Merchants are given access to a user-friendly online portal to help them assess their current vulnerabilities and formulate a plan for becoming PCI DSS compliant.By becoming compliant and adhering to the Standard a business entity will minimise the risk of a breach or loss of profits and avoid heavy fines associated with a data breach.More information about how to protect important business information can be found on the PCI Security Standards Council website: www.pcisecuritystandards.org.Florence C. Smith is an AVP and Product Manager for Butterfield Bank’s Merchant Services-Electronic Banking