Achieving PCI compliance can seem challenging and confusing. This straightforward plan makes understanding and implementing PCI guidelines as easy as 1-2-3.
We’ve all heard the horror stories of what can happen when a company experiences a data breach and their customer information isn’t protected. Millions of dollars in losses ensue, customers become at-risk for fraud and identity theft, and the brand immediately loses credibility.
The Payment Card Industry (PCI) has several Data Security Standards (DSS), or payment-handling guidelines, that are put in place to manage the security of credit cards. But with six major objectives, 12 key requirements, 78 base requirements, and over 400 test procedures – achieving PCI compliance can seem impossible.
There’s an easy way to immediately become PCI compliant – just don’t accept any credit cards. Of course, you’d be denying your customers of their favorite way to pay and probably limiting your revenue potential, but it will certainly cease your qualms about meeting all of PCI’s standards.
Not accepting card payments just isn’t a good option for most businesses, and since this is the case, PCI compliance is necessary. Luckily, there’s an easy way to ensure that many of your PCI bases are covered, and we’ve narrowed it down into three simple steps: see no card, hear no card, and touch no card.
What is PCI Compliance, Anyway?
The PCI Standards Council is responsible for developing guidelines and requirements that anyone accepting credit card transactions must adhere to.
The compliance standards that they create help to reduce the likelihood of compromised customer data and the domino effect that takes place as a result. Without these standards, customer credit card data can be easily exposed and used for fraudulent purposes – such as unapproved charges or identity theft. To ensure PCI compliance, companies must evaluate their infrastructure, payment handling procedures, and business processes.
Although achieving PCI DSS compliance can seem rigorous, failing to meet them can create hardship for your business and customers. If you are non-compliant and a cardholder’s data is compromised, your business is held liable. This can result in thousands of dollars in fines and expenses from fraud losses, card reissuing, and being forced to rectify compliance issues that you put off or ignored previously.
3 Easy Steps to PCI Compliance
With so many guidelines in place, it can feel overwhelming to understand them all, let alone implement them. However, by remembering three simple steps, you can significantly reduce the burden of ensuring that your payment system is PCI compliant – don’t SEE card numbers, don’t HEAR card numbers, and don’t TOUCH a customer’s card.
1) Never SEE a Card Number
If your business still processes credit cards manually, either in a retail or card-not-present situation, you should fix this immediately. Limiting the amount of customer data that is accessible by your employees drastically reduces the risk of both data theft and compliance issues.
Instead, allow your customers to input their credit card details themselves. This can be done by providing an e-commerce checkout form or a Payment Request form.
You may trust that your employees would be discreet, confidential, and responsible with customer information, but even a small mistake can have catastrophic consequences. Feel confident in knowing that you can continue trusting your employees – while ensuring that they never have an opportunity to SEE any customer’s credit card details. If your employees don’t have access to card numbers when processing payments for a customer, this significantly reduces your PCI compliance scope.
2) Never HEAR a Card Number
Some business models require customers to verbally recite their credit card information over the phone as an employee records it on the other end. We’ve already discussed what can happen if a rogue employee decides to mishandle information that they have seen or heard, but reciting credit card numbers out loud has another dimension of risk – you never really know who’s listening.
Advanced hackers can hack into phone calls with little effort. But even the stranger sitting on the other side of the customer’s wall or standing behind them in line can have superhuman listening powers and fraudulent intentions. Sure, it’s possible that your business will never run into these issues – but if there is no way to hear a card number through the phone, then there’s also no way to steal a card number through it.
If phone payments are a part of your business model, there are several ways to make your processes more secure and PCI compliant.
First, consider implementing an Interactive Voice Response (IVR) system. These systems allow a computer to interact with phone customers, accepting their card information through voice and touch-tone keypad selection. In other words, you can collect payment from your customer through the phone without ever hearing their card number.
Payment Requests Forms work well for this case, too. Instead of asking for payment vocally, close the sale on the phone and then send a Payment Request through email so they can enter their own card number digitally.
With these systems in place, your staff never have to hear a card number again!
3) Never Touch A Customer’s Card
The moment you touch a customer’s card, you are responsible for the outcome. At this point, you also run the risk of not meeting PCI DSS requirements. Here, in the United States, we hand our cards over freely to retail cashiers, wait-staff at restaurants, and service employees every day – and that may speak volumes to why so many Americans are exposed to identity theft.
In the rest of the world, handing over a card is rarely required. At restaurants around the world, for example, a card terminal is brought to the table so the customer can make the payment themselves. If you want to achieve PCI compliance, start by implementing a similar system. Use a self-servicing payment terminal that provides customers with the means to swipe or insert their own card and complete payment without handing it over.
Sensitive data can be dangerous in the wrong hands. Fortunately, if sensitive data never exchanges hands, this potential threat is eliminated. Having a system in place where the card remains in the customer’s hand is viewed favorably by the PCI Standards Council.
Taking The First Step Towards PCI Compliance
Achieving and maintaining PCI compliance requires commitment, time, and a change in the processes that you may have grown used to. While these three steps are not everything you need to do to achieve full compliance, they will surely get you much closer than where you are today. These steps also establish good data handling habits, and greatly reduce the scope of your PCI compliance efforts.
If you’re operating a business that collects recurring payments, achieving PCI compliance can be even more challenging. That is unless you’re using Salesforce with Chargent. At Chargent, we make it easy to collect subscription payments, automatically – without ever needing to see or hear a card number, or touch a customer’s card! Chargent processes your customer payments, and stores a secure token in Salesforce — not sensitive credit card numbers.
Ready to achieve PCI bliss? Check out the many features that Chargent offers and see if it’s the right fit for your business.
Have you overcome a serious PCI compliance issue? Tell us about it down below in the comments!