You invested a great deal of time to grow your clientele and you worked hard to make sure your product or service stands out among the competition. Stolen personal data can destroy trust and the good relationship that you built with your clients over the years. A data breach can seriously damage your brand reputation and there is a high cost associated with the breach.
It is not uncommon for eCommerce websites to be hacked and payment card data be stolen. The merchant generally has no idea that anything is happening until they received a notification from their processor or Visa and MasterCard. It can be something as simple as a line of malicious code being inserted into a plugin that is installed on the site unbeknownst to the merchant. Unfortunately, if the merchant was not PCI compliant at the time of the breach and hundreds of fraudulent transactions could be run through their system. In some cases it has ended up costing some merchants well over 100k. The fines themselves can be $80,000 or more plus additional fees for legal and administrative work. Scenarios like this can cause the merchant’s website to be blacklisted due to suspicious activity and the merchant account to be shut down. This can also result in being placed on a fraudulent merchant match list preventing the business from accepting payments via credit cards. These unpleasant situations could have been prevented easily when merchants follow PCI Compliance guidelines. Let’s have a look at some of them.
Once your customers’ credit card data is entered in to our payment gateway, it is secured, tokenized and rendered useless to cyber criminals. Cardholder data consists of the full Primary Account Number (PAN). It may also appear in the form of the full PAN plus any of the following: cardholder name, expiration date and/or service code (three digits on the back of the card). You should refrain from storing any personal, identifiable cardholder information outside of GlobalOnePay as it compromises your data security.
Now, while GlobalOnePay takes care of protecting cardholder’s data, there are some basic rules on how you and your employees should handle the data before it gets entered into our gateway. Let’s take a virtual terminal as an example. With a virtual terminal, the information needs to be obtained from the cardholder and entered in to the gateway manually before GlobalOnePay takes over the secure handling of the data. Let’s imagine that an old client calls and provides card information via phone. The proper way to go about it is to process the payment right away, but there are many businesses that don’t follow this simple rule. Instead, they collect the order information and then process everything at the end of the day. The question is – where do they store the cardholder data before it’s entered in to the gateway and how do they dispose of it after?
Avoid storing payment information whenever possible. Whether accepting customer payments over the phone, in person or online, it is always best to immediately process the information and shred or delete all electronic and paper copies. Businesses that store payment information, either in hardcopy or electronic form, put themselves at a greater risk for a data breach. Tokenization solutions should also be employed to maintain the security of data in motion and at rest.
Filing out a Self-Assessment Questionnaire will not make your business PCI compliant, but it will guide you through the correct processes and help you create your own internal PCI compliance procedures. The questionnaire may include a question like: “are hardcopy materials cross-cut shredded, incinerated, or pulped so that card holder data cannot be reconstructed?” This question reveals how hardcopy materials are to be disposed of in a way that is PCI compliant. A self-assessment questionnaire could have 60-100 questions, each of which provide intuitive guidance on how to create processes for your employees.
To figure out if you need a PCI compliance scan, have a look at the way your clients enter their credit card information when they check out.
The compliance scan includes internal and external vulnerability scans via an Approved Scanning Vendor (ASV). Both scans must be performed on a regular basis to make sure the security systems are up to date. A vulnerability scanner is a program designed to discover the weak points in your networks, to assess your setup and find areas that need improvement. The scanner identifies the points where the network is open to compromises by checking the ports, devices that might connect remotely, security cameras and the actual website itself. An external vulnerability scan looks for holes in your network firewall(s), where malicious outsiders can break in and attack your network.