Whether it is 14 or 16 numerical digits in length, securing and protecting credit card numbers and all associated information is extremely important. In an age where electronic information can be shared from anywhere in the world at a moment’s notice, people need to know more than ever that their credit card information is being protected. The consequences of this information falling into the wrong hands are simply too severe – identity theft.
What’s more, businesses which work with and store credit card information of their customers need to ensure, for the sake of their own well being, that this information is adequately secured. Without taking the appropriate protection measures, the potential risk to the company itself is astronomical.
In 2006, the major credit card companies worked together to create the Payment Card Industry Security Standards Council to establish compliance standards that help to protect and ensure security around cardholder information (i.e, credit card number, cardholder address, etc.). The ultimate goal is to protect both the consumer and businesses from fraudulent transactions and identity theft.
As part of the PCI's Data Security Standards (DSS), businesses are categorized into multiple levels based on the number of payment card transactions processed along with how (or if) the organization stores cardholder information. For businesses that process 40,000 or less credit card transactions annually, the PCI DSS requires organizations / companies to complete one of five “Self Assessment Questionnaires” (SAQ) designed to help gauge a business’ current level of security and allow them to make the proper adjustments.
From a security perspective, it helps to ensure your business is adhering to PCI DSS requirements for security management, policies, procedures, network architecture, software design and other security measures. From an operational perspective, it promotes a business’ role to ensure your customers' payment card transactions are being kept safe and that both the consumer and business are protected against data breaches and/or identity theft.
The SAQ can be as few as 13 questions or over 280 questions depending on the business's SAQ category. A differentiating factor is how (or if) cardholder information is stored. The SAQs can be found at https://www.pcisecuritystandards.org. We have worked with a number of clients from various types of industries with different complexity levels to help determine which SAQ best meets their PCI compliance needs.
Understanding how payment cards are used and processed within a company is critical. Developing detailed workflows and identifying the "touch points" is very important in order to determine the types of polices, procedures and protocols that need to be implemented. Many companies have attempted to shift the risk of payment card storage and processing to third parties vendors, only to find that they can still be exposed to the same liability.
Good business practices need to be developed to protect cardholder and payment card information. Outlined below are areas of consideration in order to comply with PCI standards:
Operations – Formal business practices need to be in place to address the collecting, transmitting, storing, reporting and monitoring cardholder information. How has cardholder information been stored? Is it on-site or stored off-site by a third party?
Technological – Once it is decided how the information is stored, questions need to be asked about the controls in place to protect it. What types of hardware and software have been implemented to protect the data? Is information being encrypted? Has the technology been properly updated?
- Personnel – Lastly, there is the question as to who has access to the data. Have these people received the proper training and been thoroughly vetted as being reliable/trustworthy? Do they fully understand the importance of protecting the information? Are they aware of the procedures in place to protect it?
Compliance with PCI DSS is becoming more and more important for businesses of all sizes. Many financial institutions are requiring PCI compliance in order to process and handle credit card information — and instituting fines for non-compliance. Elements of compliance include security and controls around collecting, transmitting, storing, reporting and monitoring cardholder information. In addition, compliance proves to customers that a company has secure systems that can be trusted with their sensitive payment card information
Jeffrey I. Ziplow, MBA, CISA, is a partner with BlumShapiro, the largest regional accounting, tax and business consulting firm based in New England, with offices in West Hartford and Shelton, CT and Rockland, MA. The firm serves as business advisors for today’s leading companies, non-profit organizations and government entities, working to strategically tailor and consistently deliver tested solutions for unlocking an organization's full potential. For more information about BlumShapiro, visit blumshapiro.com.