Blog / Is Your Organization a House of Cards?
Pretty much every business out there takes plastic as a form of payment. This can be a credit card, debit card, prepaid card, gift card, etc.
Something that people may not be aware of is that if you accept plastic as a form of payment, there are certain rules you need to follow. These rules are called “Payment Card Industry Data Security Standards” (PCI-DSS for short.)
PCI-DSS is a set of industry rules. It is not a law, so enforcement is the responsibility of the banks. Exactly what those rules are can be found on the PCI-DSS website:
Credit card companies realize there are lots of ways to accept payment by card (card readers, online, card swipe machines, over the phone, etc.), so depending on how exactly you accept card payment will affect the rules you need to follow.
Credit card companies also rate organizations based on the number of annual card transactions. Companies are ranked level 4 to level 1, with level 4 being the smallest.
To make things more complicated, they changed the rules a little while ago.
When PCI-DSS was originally put into place years ago, they decided that small organizations (anything considered level 4) did not need to comply with PCI-DSS regulations (although it was recommended.)
This is no longer the case. Any organization of any size accepting plastic as a form of payment (even if it’s only debit cards and not credit cards), is required to follow their rules. Failure to do so and being caught, can result in significant fines ($5,000 – $100,000 monthly.)
The reason for the change in policy was quite simple. What the credit card companies found was that, in practice, those small organizations are the source of most credit card Security Breaches. The credit card companies assumed that criminals would go after the larger companies, because there was a bigger payout. The truth of the matter is those smaller companies present much easier targets.
There is a lot of useful information on the PCI Security standards’ website. There is a useful page on how to secure you own organization. Yes, I said “organization” and not “computers.” These rules don’t stop at your electronics. The bulk of the rules are actually more concerned with your business processes and policies.
Obtaining official PCI-DSS compliance is a process that requires inspection by an authorized organization. TRINUS cannot provide official PCI-DSS compliance certification. However, when we perform a Security Audit, many of the things we look at are done directly because of the rules imposed by PCI-DSS.
Many organizations look at compliance as a one-time thing. The intention for it is to be an ongoing process of identifying Security issues, correcting them, recording what you learned, and then looking for more issues. After all, it’s better that you find and correct problems, rather than being discovered (and exploited) by someone else…
If you have any questions about obtaining a Security Audit, you can reach out to your TRINUS Account Manager for stress-free IT.
Your Friendly Neighbourhood Cyberman.