If you are a business that takes credit or debit card payments, no matter how big or small you are, you will need to comply with Payment Card Industry Data Security Standards (PCI DSS). This may seem like a tall order, particularly if you are just starting up. Filling in more forms is the last thing you need as a small business, but card fraud is a growing problem which can cost a company with fewer than 50 staff between £65,000 and £115,000 according to research by PwC. The regulations are there to protect your business as well as your customers. If you experience a breach or are found to not be compliant, it could be reputation that is at stake, not just your pocket.
What is PCI DSS, anyway?
PCI DSS is a security standard which was set up to regulate organisations that store, transmit or process sensitive credit and debit card information in order to help reduce the risk of fraud and to therefore protect the consumer.
Right, so what do I need to do?
If you are a small business, it could make sense for you to use a payments service or software to deal with online or telephone payments, who will transmit or store sensitive information on your behalf. As well as individual technology vendors, payment card operators and telecommunications providers are increasingly offering cost effective PCI compliant solutions as add-ons for small businesses.
I don’t have a store – I just want to sell things on my website.
When you set up an e-commerce site, your bank should tell you what you need to do to be compliant. For small businesses this is usually a relatively painless task. While bespoke payment systems can be highly risky, most e-commerce sites will use a hosted payment page, meaning that payments go directly to the acquiring bank so that the business shouldn’t be holding any sensitive card data themselves.
This does not mean, however, that you can forget all about PCI DSS. While the use of a hosted payment page previously absolved the merchant of responsibility, this is no longer the case with the new version (Version 3) of the PCI DSS regulations. Hosted payment pages are now deemed to be ‘in scope’ so you need to have some kind of security logging and File Integrity Monitoring (FIM) in place to make sure that you are alerted to any unauthorised changes. You should also aim to scan your systems at least quarterly in order to make sure that none of the sensitive data has found its way into your infrastructure. An Approved Scanning Vendor, or ASV, can do this for you at a cost of around £150 per year.
This is not merely for the purposes of box-ticking; hackers are increasingly sophisticated in their techniques. Forensic security specialist Foregenix recently uncovered a scam whereby stolen card numbers were being held in a picture file, where they could simply be downloaded as an image. This type of data concealment can only be revealed by specialist software tools.
I think I’d rather manage it in-house, thanks
If you choose to handle any part of the process yourself, you will need to make sure that:
- Your staff are PCI DSS trained
- You complete the annual Self-Assessment Questionnaire (SAQ) to demonstrate that you are complying with the regulations.
- Any area or device that comes into contact with card data complies with PCI regulations – this will include desk spaces, computers, handheld devices or tablets, data storage (cloud systems, hard drives, and servers) and so on.
- Complete quarterly external vulnerability scanning against your network from an Approved Scanning Vendor (ASV).
You must also ensure that you do not store the following:
- Full magnetic stripe – track 2
- CVC2/CVV2/CID
- PIN/PIN block
- Sensitive authentication data, even if encrypted
I have a PIN terminal in my shop – what do I need to do?
The most important thing for businesses to bear in mind when using PIN terminals is to ensure that any computer handling card data is kept completely separate from the rest of the business. The most common security breaches take place because data from the payment system finds its way into the back office computer systems of the company. Points to bear in mind are:
- Make sure that you have robust firewalls around your payments systems.
- Conduct regular vulnerability scanning to identify any areas of weakness.
- Monitor for file integrity and displaced cardholder data.
I need to take card payments over the phone. What are my options?
It’s worth doing some research into the different technologies available. Each will differ in terms of the level of security as well as customer service and convenience that they can offer. Here are the main secure telephone payments technologies to get you started:
Dual-Tone Multi-Frequency (DTMF) tone masking
DTMF refers to the tones that play out over the phone when different numbers are pressed on the keypad. By masking these tones, any numbers that are tapped into the phone cannot be translated, either by the agent on the other end, or by anyone else who might intercept the information.
Increasing numbers of payments providers now require callers to input their credit or debit card information into the phone, rather than saying them out loud to the operator. If used in combination with DTMF tone masking, the benefits are obvious – it means that neither the agent, nor anyone else who might listen to a recording of the conversation later, can steal the sensitive data.
Pause and resume
Customer calls are often recorded in order to comply with customer service guidelines or financial services regulations – particularly those issued by the Financial Conduct Authority (FCA) – but recording sensitive information can compromise its security. Pause and resume means that the recording is paused while payment information is entered. This can either be automated or controlled by the agent. It does, however, have a number of disadvantages; on its own, the technology does not make systems PCI compliant, and payment details can still be intercepted by the agent or from company networks.
Interaction Voice Response (IVR)
An IVR is an automated telephony system that interacts with callers, gathers information and routes calls as needed – it’s when you call up to make a payment and speak to a recorded message instead of a live person (“Press 1 for yes…”). Having an automated message instead of a real human being has security benefits, but also has disadvantages in terms of customer service. Most of us would rather speak to a person than a machine and if anything goes wrong during the call there’s no one there to fix the situation. Without an agent on hand to talk the customer through the process the chances of losing the sale are greatly increased.
Is it really worth it?
In the never-ending race against cybercrime, payment fraud is a danger that must be taken seriously. A recent survey that we commissioned from OnePoll revealed that 86% of people would be unlikely to do business with an organisation that had suffered a security breach involving credit or debit card details. This is not a figure to ignore; customers will simply vote with their feet if you fail to treat their personal data with respect. Furthermore the media are unforgiving of failures, as we have seen from the widespread negative news coverage of brands such as Target, Neiman Marcus and, more recently, Morrisons, following the reported data security breaches.
Although PCI compliance can sometimes seem like an endless reel of red tape, its guidelines are based on common sense and have made a solid contribution to the battle against fraud. Nobody enjoys going through the process of box-checking or being scrutinised by auditors, but ultimately, investment in fraud prevention is money well spent.
Further reading on payments
