I need not tell you PCI compliance is a hot issue. Especially with data breaches on everyone’s mind, keeping cardholder data safe is of the utmost importance. For a variety of reasons security falls by the wayside, however, and the reason I want to address today is cost. Does total PCI compliance cost a business some capital? Absolutely. The business has to put procedures in place and make expenditures they wouldn’t ordinarily have made. But, it’s important to realize that for businesses, the cost of PCI compliance is far less in the long run than simply ignoring a ticking time bomb–or, even getting one of those nasty noncompliance charges from your credit card processor.
How compliant are you now?
Here’s a snippet from a Verifi white paper on PCI compliance that details exactly the steps business owners must take to be up to snuff:
Steps 1 and 2 aren’t so difficult. Most routers come with firewall capabilities, or vice versa—and, you can easily change or add passwords so not just anyone can log into your business’ network. If your company is large enough, you can employ an IT expert who can install and oversee a firewall.
Steps 3 and 4, protection and encryption, are handled by your credit card processor, although they’re still your responsibility. For example, credit card processors can sell a product, PC Charge, which integrates to different accounting programs and stores cardholder data and is PCI compliant—but, only some versions. PCI DSS is a separate animal from processors themselves, so not every product sold has to be compliant. It’s obviously better if they are, though.
Steps 5 and 6 are similar to steps 1 and 2. If your business is big enough, employ an IT expert to oversee antivirus software deployment and regular system scans.
Steps 7 and 8 are easily handled. Simply only allow authorized users to accept credit card payments, and give those users unique IDs and passwords so no one who isn’t authorized can access the system and create a problem.
Step 9 refers to making copies of cardholder data—it isn’t safe to do that, of course, since anyone with eyes can take your scraps of paper and use the cardholders’ information as if they were the cardholders themselves. You can eliminate problems with step 9 by taking care to input a credit card payment into an integrated system or credit card terminal as the customer reads information to you, not afterwards.
Step 10 is simple. Most virtual gateways come with functionality that will help with tracking user access if your accounting system itself does not have the functionality. Step 11, performing regular security tests, can be handled by an IT professional if you’re unsure of how to do it. And, step 12 is self-explanatory and a little tautological 🙂 Have a plan that addresses all this plainly in case you’re ever unsure of what you need to do to protect yourself.
So, how much would it cost your business to be PCI compliant?
I can’t tell you exactly how much the cost of compliance would be for you, but I can say that some businesses have infrastructures that are so big—and interwoven—that it either makes complete oversight a chore or makes complete compartmentalization of credit card data very difficult. This blog entry from Mark Burnette of LBMC Security Services suggests hiring a third-party security expert to handle all of your web security and protection issues because it’s much more cost-effective than hiring someone from within to do the same thing, especially if that person requires training on your different systems. The blogger goes on to say that the same people who perform PCI compliance checks can also be hired to maintain business security, something many merchants may not know.
The bottom line is this: It isn’t free to have a good security system. But, it doesn’t have to be terribly expensive. If you can’t handle the PCI compliance steps yourself, an outside agent or team can handle your business’ security and perform PCI compliance exams, and it’s ultimately less expensive than simply being noncompliant–and, much cheaper than being liable for a data breach.