The loss of customer data can not only keep your management up at night, it can severely cripple a business.  From the loss of confidence by your customers, to the fines levied by banks and other institutions, a business can struggle to recover from a breach.  For this reason it is important to ensure that your company’s leadership is taking all of the necessary steps to ensure that it remains in compliance with the Payment Card Industries Data Security Standards (PCI-DSS) and is protecting customer credit card information.

Many companies within the middle market have the misguided preconceived notion that they do not need to be PCI compliant, as they have “outsourced” their credit card processing.  However, as transactions are processed through the company’s network, this makes the company a participant in the transaction process and thus it becomes necessary to be compliant.

PCI-DSS Standards

The PCI Security Standards Council has worked with credit card companies in establishing predefined standards that need to be met by any company processing credit card information.  For a majority of companies within the middle market, this would be limited to completing a self-assessment questionnaire (SAQ), but the level of assurance required is determined by the number of credit card transactions completed with a provider.  To determine the necessary scope of the assessment, you will first need to prepare the following documents.

  • Contracts with credit card processor
  • A Summary from a processor on number of transactions processed during the year

If it is determined that the company can complete a SAQ, it will be necessary to define the questionnaire to complete.  This will be determined based on the types of credit card transactions that are processed and how they are processed.   The PCI provides templates that should be used to complete the assessment.  The assessments should be completed on an annual basis and need to be kept on file.

See the PCI’s website dedicated to small businesses by clicking here to help get you started.

In the event that the company does not qualify to complete the SAQ, it will be necessary for the company to complete the Report on Compliance and Attestation of Compliance.  This is required to be completed by a Qualified Security Assessor, who is trained in the compliance aspects of the PCI-DSS.

The costs of not ensuring compliance with the appropriate PCI-DSS standards can be devastating for your company.  As noted above, a few of the consequences of having a breach of cardholder data could be as follows:

  • Loss of Confidence – from your customer base and the community.
  • Monetary Costs
    • Fines from credit card companies
    • Legal Fees
    • Costs to provide identity protection
    • Internal costs of “fixing” the problem, both in terms of the breach and the marketing necessary to build reputation

With the potential damage and negative exposure that can come from a data breach, we encourage management to ensure that they have completed the necessary PCI-DSS compliance steps on an annual basis.

If you would like help in getting started, or along the way, do not hesitate to reach out to your Barnes Dennig contact or visit Barnes Dennig’s web page on PCI-DSS Assistance here for more information.