On June 15, 2019, the day before Father’s Day, social media was inundated with photos of long lines of red carts as Target customers were unable to check out. A crash of Target’s POS system left Target unable to use their cash registers. The outage caused hundreds of thousands of Target shoppers nationwide to abandon their shopping carts filled with last-minute Father’s Day gifts and head elsewhere. The outage was only partially fixed by the morning of Father’s Day, leaving Target still unable to accept credit cards. In a world dominated by plastic transactions and tap & go transactions, this outage must have been financially devastating for Target.
Imagine if your own business could not accept credit cards for two business days. While there has been no official word from Target as of Monday, June 17, about what might have happened to the credit card processing component of their POS system, it seems like a good time to review PCI Compliance rules to make sure you are protected from a major breach. If Target can have POS failures and credit card data breaches, you can bet it can happen to you.
Looking into the recent past, 5 million Saks Fifth Avenue customers had their personal data stolen. That pales in comparison to the 40 million cards that were hacked from Target in 2013 and the 56 million Home Depot customers that had their account information compromised in a breach of its POS system. Do you know how your card data is stored and what your vulnerability is? More importantly, do you know what your liability is if you get hacked and how much it could potentially cost you out-of-pocket?
PCI DSS is the Payment Card Industry Data Security Standards, the standards that merchants who transact business by credit or debit card must abide by. It was jointly created by Visa, MasterCard, Discover, and American Express in 2004 to prevent data breaches. The most recent version is PCI DSS 3.2., and it was introduced in April 2016. The same rules are relevant to all merchants, regardless of revenue and credit card transaction volumes.
There are 12 requirements outlined in PCI DSS 3.2, but merchants must comply with a total of 251 sub-requirements across the 12 requirements. These standards apply to all merchants that deal with cardholder data. Cardholder data refers specifically to the credit card number, along with cardholder name, expiration date, and security code (CSC). The compliance mandates are so strict and so technical that it can be extremely confusing to most people. The good news is, if you are using third-party software as your POS system, you are likely in compliance through the efforts of your software vendor. If you process credit cards through your software, your software vendor likely stores the credit cards in their system and not anywhere in your system. It’s worth asking your software vendor to be sure.
The 12 Step PCI Compliance Checklist:
- Safeguard cardholder data by implementing and maintaining a firewall.
- Create custom passwords and other unique security measures rather than using the default setting from your vendor-supplied systems.
- Safeguard stored cardholder data.
- Encrypt cardholder data that is transmitted across open, public networks.
- Anti-virus software needs to implemented and actively updated.
- Create and sustain secure systems and applications.
- Keep cardholder access limited by need-to-know.
- Users with digital access to cardholder data need unique identifiers.
- Physical access to cardholder data needs to be restricted.
- Network resources and cardholder data access needs to be logged and reported.
- Run frequent security systems and processes tests.
- Address information security throughout your business by creating a policy.
While software solutions such as Clover, FastTrak, Square or ShopKeep generally take care of the vast majority of the steps toward eCommerce PCI compliance for their merchants, you will still need to implement policies that prohibit your employees from writing down credit card information and storing it anywhere in your business or committing other violations of standards. Merchants that fail to comply with PCI DSS and get hacked may be subject to fines, card replacement costs, and costly forensic audits. The credit card companies, at their discretion, are the ones who administer fines to the merchant’s bank (known as the acquiring bank), and they can range between $5,000 – $100,000 for PCI compliance violations or breaches. The acquiring bank passes the fine to the merchant.
On top of those fines, merchants may be subject to additional penalties from their bank as well. Banks and credit card processors may terminate their relationship with the merchant altogether, or simply increase the per-transaction processing fees and require the merchant to pay for the replacement of the credit cards that have been compromised in the breach. Penalties are not openly discussed nor widely publicized, but they can be catastrophic to a business. It is important to be familiar with your credit card merchant account agreement(s), which should fully outline your exposure.
For less than what you would pay for a single steak dinner, you can purchase a Data Protection Plan from your credit card processor that would protect you in the event you missed one of the 263 rules you are expected to know and follow. If you would like more information about data protection or credit card processing in general, please contact Chosen Payments at 855-4CHOSEN.