By: Sue Savage, Technical Strategy Expert
The Payment Card Industry Data Security Standard (PCI DSS) Compliance wave including its new regulations and ever present breaches can seem like a Tsunami for the average merchant. Thus, many venues leave PCI compliance in the ‘too hard basket’ because they don’t know how or where to get started, or what their obligations are. This generates unnecessary business risk.
It doesn’t have to be that way!
Instead of looking at PCI Compliance as an insurmountable challenge, see it as a value-add that can drive better customer service, and minimize business risk. This will put some momentum behind PCI Compliance efforts and produce positive results for your business.
Here are some tips on navigating the sea of PCI Compliance information:
1. Get in the know
The first step in establishing a plan is education to build an understanding of what PCI DSS is and how it impacts your business.
PCI DSS represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information. The standard provides an actionable framework for developing a robust account data security process including preventing, detecting and reacting to security incidents.
There are many resources available for merchants to unravel the myths around PCI DSS. A good place to start is the Payment Card Industry Security Standards Council. They have an excellent website with useful and easy to digest tools and information developed with the small business owner in mind. Check out their section on “Getting Started“, which includes assessment checklists and easy to follow recommendations.
PCI DSS has defined the minimum requirements for merchants as:
- Building and maintaining their network
- Protecting cardholder data
- Maintaining a vulnerability management programme
- Implementing strong access control measures
- Regularly monitoring and testing networks
- Maintaining an information security policy
Businesses that do not embrace this framework and leave customer sensitive data open to fraud can face hefty fines by card companies (e.g. VISA and MasterCard).
2. Level the playing field
Visa classifies merchants into different levels, so take the time to understand your transaction volume and identify which level applies to your business.
Merchant levels (as defined by VISA)
“All merchants will fall into one of the four merchant levels based on VISA transaction volume over a 12-month period. Transaction volume is based on the aggregate number of VISA transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As (DBA)”.
Based on transaction volume, your acquiring bank can advise which level you fall into.
3. Establish a benchmark
Once you have your head around what PCI DSS means and have determined merchant level your business falls in, it is critical to do the initial Security Assessment Questionnaire (SAQ) to establish how your business can meet the minimum standards of the program. Depending on the ‘Merchant level’ the ‘compliance validation requirements’ may vary.
Compliance validation requirements (as defined by VISA)
A good place to start is with your bank. They can advise your particular requirements with PCI DSS validation, and then obtain a PCI DSS Security Assessment Form.
Part of this Assessment is to understand which systems are capturing customer credit card data, and how is it protected. Your acquiring bank can also advise around transaction volumes.
You can download standard SAQ’s from the PCI DSS Council to get the ball rolling.
4. Set priorities and get moving
Once you have completed your assessment and established which systems could expose customer sensitive data, it’s time to set priorities and put an action plan together. A useful PCI Compliance action guide is listed on the PCI DSS Council website.
Remember also, that a good source for PCI information is your technology vendor. You need to be aware if the versions of software implemented in your establishment meet PCI DSS compliance. For MICROS products, this information can be found under the Information Security Portal which also outlines best practices.
Summary
Defining a PCI compliance policy, setting an action plan and putting standards in place is a necessary requirement for all businesses; even more so in the hospitality industry.
Securing consumer credit card data should be seen not as an IT project, but as a good business practice across the board. What is your PCI plan?
Find out more about what MICROS can do for you! For more information contact us at info@micros.com Phone: 866.287.4736 (US and Canada)
