Basic PCI Compliance Best Practices for Your Point Of Sale System
If you have never heard the term “PCI Compliance,” and you are involved in the retail industry, you need to educate yourself. PCI is short for PCI-DSS, which stands for Payment Card Industry Data Security Standard, which is the set of rules that merchants, software vendors, and consultants need to follow when working with credit card data and processing. The five major brands of credit cards—American Express, Discover, JCB, Visa, and Mastercard—have all agreed to incorporate the technical requirements of the council in to their security programs. Having these companies agree on this protocol is very important to the success of the protocol. It is up to them to enforce the PCI rules and determine penalties, not the PCI Council.
Being PCI compliant and following the rules doesn’t guarantee that you won’t have a breach; however, it does reduce your liability. If you follow all the recommendations and have proof that you did, and if a breach happens, you could avoid being hit with fines.
Target, the major department store chain, is the most recent example of a large data security breach that has occurred in the retail industry. Estimated fines range anywhere from $1.1 billion to $3.6 billion as a result of that breach. In comparison, a small retailer may be fined $10,000, which for a smaller retailer could mean the end of the business. As you can see, security breach fines can be quite large and have an enormous impact on businesses regardless of the company size, which is why it’s important to protect your business and take appropriate steps toward becoming PCI compliant.
3 Steps to Take Toward Becoming PCI Compliant
- Talk with your software vendor. The vendor you purchased your Point of Sale (POS) software from should be your first call. They can provide you with documentation that proves the software solution is certified. If they can’t, you need to ask some serious questions about why, and it might be time to find a new solution!
- Do an internal audit, such as opening WiFi, unattended computers that are logged in to your network, and stored passwords. Your IT provider should be able to help. If you don’t have an IT provider and you wish to do it yourself, talk to an IT professional about helping with an audit. They can provide you with best practices. (In regards to passwords, writing your login on a sticky note and putting it on your monitor is not PCI compliant!)
- Never write down credit card or billing information for a customer. Always go straight to your Enterprise Resource Planning (ERP) or POS system to enter the data. While it may not be convenient, it is the best policy.
Completing these steps doesn’t mean you are PCI compliant. It does, however, mean you are a lot better off and well on your way to PCI compliance. Contact ArcherPoint to discuss how to get your organization in complete PCI compliance.