Cybercriminals and hackers have certainly been busy lately. Over the course of the past year and a half, 14 major security breaches have adversely affected merchants and their customers. Many of these breaches involved credit and debit card numbers, and occurred due to flaws in payment systems, either online or in stores. For example, Sears and Delta’s online support partner, 7.ai, suffered a breach that exposed up to 100,000 people’s credit card information.
Undoubtedly, merchants have never been more susceptible to data breaches and the consequences – hefty fines, damaged brand reputations and lost customer trust. In fact, a KPMG study showed that 19 percent of consumers would completely stop shopping at a retailer after a breach, and 33 percent would take a break from shopping there for an extended period.
The Power of the PCI DSS
To help minimize security risks and uphold customer trust, merchants must look to the Payment Card Industry Data Security Standard (PCI DSS) and seek out a PCI certification. As you may already know, the PCI DSS is a global standard that applies to any company that handles cardholder data (CHD). While compliance with the PCI DSS by no means guarantees immunity from a breach, taking the steps outlined in the standard can significantly reduce risks and eliminate noncompliance fines, which can range from $5,000 to $500,000 per month.
The PCI DSS outlines a set of six high-level areas, subdivided into additional sub-requirements, that every organization processing card payments must follow. In total there are twelve requirements, which every merchant, regardless of merchant level, must follow:
Build and Maintain a Secure Network
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
Implement Strong Access Control Measures
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
Regularly Monitor and Test Networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
Maintain an Information Security Policy
- Maintain a policy that addresses information security for employees and contractors
To learn more about the twelve PCI DSS requirements, view this helpful page on the PCI SSC’s website.
PCI DSS Compliance vs. PCI Certification
It is important to first address the difference between PCI DSS compliance and PCI certification. To demonstrate compliance, your organization must complete a self-assessment questionnaire that includes a checklist of necessary requirements. This will take less than a month to complete. Once you have completed your checklist, it is in your organization’s best interest to periodically run through the PCI Council’s three-step review process to ensure you maintain compliance. The review process includes the following steps:
- Assess — identify CHD, inventory your IT assets and business processes for payment card processing, and analyze them for vulnerabilities that could expose CHD.
- Remediate — fix vulnerabilities and avoid storing CHD unless you need it.
- Report — compile and submit required remediation validation records (if applicable) and submit compliance reports to the acquiring bank and card brands with whom you do business.
However, in today’s digital age when cybercriminals are becoming more devious, merchants should take the extra step and obtain a PCI certification, even though it is not required. Simply saying you are PCI DSS compliant is nothing more than a claim – to become certified, you will have to be verified by a Qualified Security Assessor (QSA).
How to Become PCI Certified
Earning a PCI certificate requires an in-depth audit by a QSA – a process that can take up to six months to complete. But, it is worth the effort to help eliminate any liability or fear that a PCI guideline has been unintentionally missed in a self-assessment. Further, your certification offers tangible proof and undeniable credibility that your company has met all PCI DSS guidelines, offering customers reassurance that their data is protected according to rigorous standards.
Here are a few steps to get your certification process in motion:
- Bring in a professional to implement a secure payment gateway that will monitor your network regularly to ensure that CHD never enters your contact center.
- Descope your contact center by removing as much personally identifiable information (PII) as possible – including CHD. The less data you store, the fewer applicable PCI controls you will need.
- Password protect your system and install a firewall to limit employee access to the network.
- Finally, enlist a QSA to conduct your full-scale audit to ensure all PCI DSS requirements have been satisfied. Select someone who understands your area of business and has a proven track record of helping others in your industry become compliant.
Semafone Has Your Back
It’s Semafone’s mission to stay ahead of the curve and provide the highest level of security assurance. To solidify this commitment to our partners and customers, we recently achieved recertification with the internationally recognized standard for information security management practices, ISO 27001:2013. We are also the only vendor to attain all four of the leading secure payment accreditations: ISO 27001, PA DSS, PCI DSS Level 1 Service Provider and an official Visa Merchant listing.
In addition, our patented, secure payment software, Cardprotect, dramatically simplifies compliance by descoping much of the contact center’s environment from the PCI DSS. Using dual-tone multi-frequency (DTMF) masking technology, Cardprotect shields numerical data from agents/customer service representatives (CSRs), call recordings and other telephony systems. Once customers enter the credit card numbers into their phone’s keypad, the data is sent directly to the payment processor – never touching the business’ IT infrastructure. After all, when it comes to cybercriminals, our motto is, “No one can hack the data you don’t hold.”
To learn more about becoming PCI DSS compliant, visit the PCI SSC’s website.