Despite being introduced nearly 15 years ago, PCI DSS, for many businesses, continues to be clouded in mystery and confusion. A lack of time and resources, paired with limited understanding of cybercrime and the risks associated with a data breach, mean that many business owners and managers have chosen to bury their head in the sand and avoid putting the necessary processes in place to secure their transaction environment. So, this month, we attempt to debunk a few of the myths surrounding PCI DSS with a list of Dos and Don’ts of compliance, to help you make the right choices for your business…
DO understand that if you accept payments by card then PCI DSS compliance applies to you. There are no exceptions to this!
DON’T assume that this means costly investment in equipment and extra resources. The extent of your compliance obligations is based on your transaction volume over a 12-month period. This determines which ‘merchant level’ category you fall into and therefore what actions need to be taken to become compliant. While getting the right procedures in place can take time, for many businesses, the compliance process itself simply involves completing an annual Self-Assessment Questionnaire (SAQ).
DO educate yourself and your colleagues on the need for compliance and know the implications if you do not. The more that staff understand and are engaged, the more likely it is that policies will be adhered to.
DON’T assume that you will get away with pleading ignorance should a data breach occur! Without compliance procedures and cyber protection in place, a breach will most certainly lead to a fine for failing to comply, from which the reputational damage to your business could be irreversible. Going through the steps to become compliant will give you a good understanding of the card payment process so you have a better chance of being able to identify gaps and fix weaknesses, making that dreaded data breach much less likely.
DO make compliance and card security a priority and identify an individual or a core team of people responsible for its planning and implementation.
DON’T expect compliance to be achieved in a day. New systems and ways of working take time to bed in, particularly in larger organisations. PCI DSS compliance should be considered as an ongoing exercise and not a one-off tick box so ensure that adequate resources are allocated each year.
DO implement technology and systems that limit the amount of card data visible to staff. Reducing the scope for human error will greatly improve your chances of resisting a data breach.
DON’T assume that because there is human involvement in the payment process that you will not achieve compliance. There are plenty of ways to adhere to PCI DSS while maintaining human interaction and personalised service for your customers. Systems that encrypt card details help to prevent data falling into the wrong hands and there is a wealth of technologies available to support this.
DO investigate ways to outsource your PCI DSS compliance to an external provider. Investing in a PCI compliant card payment solution descopes your businesses from the compliance requirements and moves the obligation and risk from you to them. Not only that, but a new system might also just be what you need to streamline your payment process, increase productivity and, in the long run, cut costs.
DON’T waste money on an off-the-shelf system that does not fit the needs of your business. It is crucial to find the right solution that has the flexibility to integrate with other processes and allows for future changes and growth.
At PCI Telecom we create bespoke card payment processing solutions for businesses of every shape, size, and sector. Our cloud-based solutions are flexible, robust, and cost-effective and enable businesses to accept and process card transactions – over the phone, via IVR, online and over webchat – in a secure environment, compliant with PCI DSS with Level 1 accreditation. For more information, visit our Solutions page or give us a call to talk through your requirements.