In 2004, the five major credit card brands — Visa, MasterCard, American Express, Discover, and JCB — instituted a set of requirements designed to ensure that all companies that process, store, or transmit credit card information maintain a secure environment for cardholder data. Such data is defined as any personally identifiable information associated with a cardholder, including the account number, expiration date, name, address, and social security number. In fact, any personally identifiable information associated with the cardholder that a firm processes, stores, or transmits is covered.
To achieve PCI compliance, this Payment Card Industry Data Security Standard (PCI DSS) requires more from a company than simply possessing an SSL certificate for the firm's network, as SSL does not secure a server from malicious outside attacks or intrusions.
It's likely, then, that not all middle market firms are PCI compliant. After all, there is considerable time and expense involved even for a merchant at level 3 (defined as processing between 20,000 and 1-million Visa e-commerce transactions per year) or level 4 (processing up to 20,000 Visa e-commerce transactions per year) to come into compliance. Because an in-house information-security program can be prohibitively costly for middle market companies, you might have to look to IS consulting firms for assistance with compliance.
Adherence to PCI DSS is not enforced by civil authorities but rather by the five credit card brands themselves. Enforcement is focused on certain areas, because 40-percent of recorded customer data breaches occur in the hospitality industry, while 25-percent occur in the retail sector. Combined with the cost consideration, these two factors might cause some middle market firms that aren't in those industries to put off taking the actions necessary for compliance.
However, any data breach that happens at a middle market firm will cause crippling financial damage. Once a breach investigation begins, the fines for past and present PCI compliance violations range from $5,000 to $100,000 per month, while the firm could face increased transaction fees from its bank — or lose that business relationship altogether. What's more, the firm could face civil suits from customers whose credit card data was exposed.
Steps to Take
In early 2014, version 3.0 of PCI DSS went into effect for all companies that handle debit- and credit-card data. This version contains PCI-compliance requirement enhancements from past years. For executives at middle market firms to gain a firm understanding of how close their companies are to compliance, there are PCI self-assessment questionnaires (SAQ) that can be completed by IT personnel within a company. Alternatively, firms can use an outside security professional's guidance to complete the SAQ and move toward compliance. While it's not required that a firm use only a "Qualified Security Assessor" who has been trained by the PCI Security Standards Council (PCI SSC), a list of them can be found on the PCI SSC website.
While in the process of achieving PCI compliance, a middle market firm's acquiring bank or that bank's PCI partner will probably ask for both internal and external network scans once per quarter. These scans identify vulnerabilities in operating systems, services, and devices that hackers could use to access or damage a firm's network. An external scan looks for holes in network firewalls, unprotected wired and wireless connection points or accessory devices, and other deficiencies that could serve outside hackers. An internal scan operates behind a firm's firewalls to identify real and potential vulnerabilities that can be exploited (whether accidentally or otherwise) by employees or vendors who visit the site.
With data theft becoming increasingly sophisticated, PCI compliance is a concept that you, as an executive of a midsized company, must understand and discuss with your firm's IT team in order to protect your business.
Is it preferable to have an in-house IT staff work on PCI compliance? Let us know what you think by commenting below.
Rob Carey is an NCMM contributor and a features writer who has focused on the business-to-business niche since 1992. He spent his first 15 years at Nielsen Business Media, rising from editorial intern to editorial director. Since then, he has been the principal of New York-based Meetings & Hospitality Insight, working with large hospitality brands in addition to various media outlets.