Merchants accepting credit/debit cards for payment are required to become compliant with the Payment Card Industry Data Security Standards (PCI DSS). It is YOUR responsibility, as a merchant accepting credit and debit card payments, to safeguard customer card data by becoming PCI compliant.
When you’re not compliant with PCI standards, fines range from $5,000 - $500,000. You can also pay $50 - $90 per cardholder if their data gets compromised! That can add up quite fast.
Rather than face those nasty consequences, make sure you do your homework. We have compiled a FAQ on PCI Compliance you can download here:
Also, we have shared a list of 7 deadly PCI compliance mistakes you can't afford to commit:
- Not Managing User Permissions Properly
All user roles must follow all rules – even ones of least privilege. All permissions must be appropriate for the applications and processes a certain user deals with.
- Not Conducting a Readiness Assessment
This assessment should answer the questions “Who, what, when, where and why?” It’s a proactive, but necessary measure that keeps you in compliance so you don’t find yourself facing those huge fines we talked about earlier.
- Not Enough Support from Executives and Senior Management
Some tasks and processes you can do without the awareness or approval from leadership. PCI compliance isn’t one of them. If you don’t already have the support of organizational leaders, then it’s time to start conversations about PCI compliance. You must tell them the exact time and financial resources you need to make compliance a reality for your company.
- Ignoring Virtualization Compliance
Unfortunately, this often gets overlooked. If you have just a single virtual machine, your entire virtual infrastructure must comply with PCI standards. How they word this standard is somewhat vague. So, a large part of how the standard gets enforced is based on how auditors interpret it.
- Not Changing Vendor Default Configurations
If you leave default configurations in place, it’s easy to duplicate and deploy all your virtual machines. You can scan your IT infrastructure for new devices, but this doesn’t work very well in the case of virtual machines.
- Not Monitoring Log Data
Monitoring your log data is one of the key facets of PCI compliance. You also need to thoroughly protect it.
- Storing Cardholder Data as Plain Text
Less is more when it comes to cardholder data. Store as little of it as possible. If you absolutely have to store it, don’t keep the entire 16-digit card number. And of course, PIN and/or CVV data shouldn’t be in your log files either. All cardholder data should be encrypted, and encryption keys should be kept in as few locations as possible.
…And There’s Many More PCI Compliance Errors to be Aware of!
Those are some of the most common PCI compliance errors. But, there’s many more besides these.
Luckily, Solupay makes it easier to meet PCI DSS requirements and protect your customers’ important information. Our PCI compliance program is being managed by ControlScan, an Approved Scanning Vendor (ASV) by the PCI Council, who is a leading provider of PCI security solutions for small- and medium-sized merchants. Their easy-to-use tools and personal level of support make achieving compliance easy. ControlScan's PCI 1-2-3 compliance solution, available online via a merchant portal called myControlScan.com, provides you with the leading tools and support necessary to analyze, remediate and validate PCI compliance at an affordable rate.