The Payments Card Industry Security Standard Council (PCI-SSC) developed the PCI Data Security Standard (PCI DSS) to encourage and enhance cardholder data security, and facilitate the broad adoption of consistent data security measures globally. Any merchant that accepts credit cards must adhere to PCI DSS standards. Failure to comply leaves a merchant vulnerable to a data breach and the ensuing negative fallout including fines, fees and lost business.
The PCI DDS is intended to help businesses proactively protect customer account data. It includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. Merchants aren't the only stakeholders that are subject to PCI standards, however. Partnering banks, payment processors, and point-of-sale software and hardware developers are also responsible for meeting these industry guidelines.
As data protection grows in importance in our digitally driven consumer ecosystem, merchants need to ensure they stay educated on the ever-evolving security standards so they can meet new mandates. Let’s take a look a closer look.
Protect the customer at the POS
Every stakeholder involved, from the merchant to the POS reseller to the processing bank, must be in compliance with PCI security standards. Protecting cardholder data requires coordinated efforts across all involved in the payment transaction. Security isn’t just a mandate, it’s good for business.
There’s no doubt that consumers are increasingly worried about the security of their payment information. According to a recent Unisys study, nearly 60 percent of U.S. consumers are extremely or very concerned about having their cardholder data stolen, a 7 percent year-over-year increase. Identity theft was also a major concern, with 57 percent of domestic customers calling it a major concern, industry website BankTech reported. The PCI SSC added that nearly 80 percent of cyberattacks target smaller businesses, which draws attention to the fact that merchants need to make security a top priority.
Additionally, consumers indicate they would alter their buying behavior as a result of a breach. More than half of respondents said they would no longer frequent a business if their sensitive information was stolen in a breach at that business. Today's competitive small-business marketplace leaves no room for error, especially those that lead to lost customers. The negative ramifications facing a merchant, even if it is not financially responsible for damages caused by a breach, are real and widespread. A business that suffers a breach is not only liable for the damages, the cost of replacing all the compromised cards, legal fees, and the hefty fines levied by the card associations, it also faces potential lost sales resulting from a damaged reputation.
PCI 3.0 – new security themes
The PCI-SSC continually updates the PCI DSS to stay current with industry threats. The most recent amendments appear in the PCI DSS 3.0, and contain three key themes: education and awareness; increased flexibility; and security as a shared responsibility. The new and improved standards aim to improve education and awareness at the merchant level. In addition to emphasizing that security is a shared responsibility among all industry stakeholders, the PCI DDS 3.0 clarifies the intent and requirements for compliance.
With the negative financial implications of a card data breach, small businesses can't afford to leave anything to risk. As consumers become increasingly concerned about the security of their sensitive information, it is even more imperative that small businesses stay informed about and in compliance with PCI DSS standards.