Under Lock and Key: PCI Compliance And Data Security Is Sound Business Practice
Every business that accepts credit/debit card payments must comply with the Payment Card Industry Data Security Standard (PCI DSS). Doing so is more than a requirement; it's a sound business practice that offers the protection your business needs against potentially devastating consequences from credit card data theft.
That protection is especially important to restaurant franchisees, as restaurants are the most popular targets of credit card thieves. According to Visa International, remote access by hackers was the source of 41 percent of all credit card data theft in 2010 - with Level 4 merchants the target of 96 percent of all hacking.
Many merchants believe that their merchant bank or ISO covers them for PCI DSS compliance. That's not the case, and it's ultimately the merchant's responsibility to ensure PCI DSS compliance. Credit card breach investigations do result in fines for the affected merchant's acquiring bank when a breach is proven to result from PCI DSS non-compliance, but merchant contracts with acquiring banks typically hold merchants liable for those fines should a breach occur, which transfers the burden to the merchant who was hacked.
That burden exposes restaurant franchisees to tremendous financial loss:
- Fines of up to $500,000 per incident
- Liability for all losses from compromised account numbers
- Liability for the cost of re-issuing compromised cards
- Potential suspension of merchant accounts
The severity of these fines and penalties are the reason 76 percent of small businesses that experience a customer data breach close their doors permanently within a year. And that in turn is why it's in the best interest of the franchise organization to protect against customer data theft.
Fortunately, PCI DSS is very clear about what constitutes compliance, and franchisees who demonstrate thorough PCI DSS compliance are generally shielded from liability should data theft somehow occur. Compliance involves addressing these key PCI DSS requirements:
- Build and maintain a secure network. Simply put, it's your responsibility to make it extremely difficult for hackers to penetrate your network.
- Protect card holder data. Don't store card holder data in easily accessible reservation systems and loyalty programs. Better yet, store all credit card data off-premises, and access it through a secure gateway.
- Maintain a vulnerability management program. Institute measures that give you a proactive rather than reactive posture to quarterly vulnerability scans.
- Implement strong access control measures. Do your best to ensure that only personnel with an absolute need are able to access or view card holder data, and carefully monitor access.
- Maintain information security policy. Employee vigilance is key to security. Make sure everyone who accesses your network and sensitive data understands the measures you've implemented for protection, and why.
If you address these requirements and achieve and maintain PCI DSS compliance, you're on the surest path to remaining safe from the potential damage inflicted by thieves on the hunt for valuable customer credit card data.
Paul Arceneaux is chief marketing officer for ANX, a leading provider of managed security, compliance, and connectivity solutions. He has more than 20 years of security, technology product development, and marketing leadership.