You might be concerned about adding too many steps to the buying process and deterring customers from making the purchase. However, while it’s a balancing act between customer experience and security, today’s customers are increasingly fraud-aware and expect businesses they’re dealing with to have put all the necessary protection in place.
PCI Data Security StandardSo where do you start? A good place is the PCI Data Security Standard (PCI DSS) . The standard provides a usable framework for developing a robust account data security process, including preventing, detecting and reacting to security incidents.
If your business accepts payment by card, make sure you’re compliant with the PCI DSS. It is considered to be the minimum level of security required to protect your customers when making payments.
With trust comes increased confidence in doing business with you. Confident customers are more likely to be repeat customers and to recommend you to others, so it’s a win-win situation. Compliance with the PCI DSS is a mandatory requirement with the acquiring and payment brands you partner with and is included as part of the terms and conditions of your contract with Barclaycard.
The cost of non-complianceBecoming compliant might seem like a lot of effort, not to mention confusing. But think about the cost of being non-compliant.
Compromised data negatively affects both your business and your bottom line. Negative consequences of a breach can lead to lawsuits and insurance claims, as well as fines. Account data breaches can lead to a significant loss of sales, damaged relationships and standing in your community, and there’s also a risk to your share price if you’re a public listed company. A single incident can severely damage your reputation and your ability to conduct business effectively, not just now but also in the future.
Traceability and accountabilityA critical concern of PCI compliance is traceability and accountability of who did what, and when. To pass a PCI compliance assessment, you need to be able to verify who is attempting to access payment cardholder data. You must also control what employees are permitted to see or modify, and do so based on their organisational role.
Perhaps as a result of increasing reliance on web and cloud-based services, which can introduce a lot of different entry points into a system, the emphasis is on user authentication and user identification.
As Verizon’s 2014 Data Breach Investigation Report (DBIR) revealed, a number of POS intrusions could be attributed to “truly awful passwords”, reporting that when it came to remote criminal attacks against environments with retail transactions, the top three methods targeted the inherent weaknesses of our most basic access security precautions.
Working with third partiesIf you’re a third-party supplier or a business that works with third-party suppliers, there are certain steps you need to take to ensure that everyone in the chain plays their part to protect payment card data from fraudulent use.
It’s not enough just for your business to be compliant, any third party suppliers you work with should be as well. So if you work with resellers, till or EPOS vendors, software application providers, payment service, data storage, web hosting, shopping cart providers or software vendors, they might all need to be compliant, in order to provide the necessary level of protection for both your customers and your business as you could be held responsible for the third-parties security breach.
Compliance is an ongoing processIt’s important to remember that compliance is an ongoing process. As fraudsters adapt and their mode of attack becomes ever more sophisticated, it becomes increasingly difficult for individual businesses to stay ahead of the threats.
The PCI Security Standards Council is constantly working to monitor threats and improve the industry’s means of dealing with them, through enhancements to PCI Security Standards and by training security professionals in the minimum controls necessary that a Merchant should implement in order to prevent and respond to attacks. By being compliant you can help stay one step ahead of the fraudsters, and protect both your business and your customers.