As online transactions continue to rise, identity theft and credit card fraud are growing concerns. As many as one in four Australians have been a victim of identity theft or fraud, according to a report from Veda Group.
So how can you ensure your business doesn’t unwittingly contribute to that statistic? If you accept credit card payments from customers, it’s essential to understand your responsibilities under PCI-DSS requirements.
What is PCI-DSS?
Payment Card Industry Data Security Standard, or PCI DSS, is a global information security standard developed by payment card providers (including American Express, Visa, MasterCard, Discover and JCB) to protect consumer credit card data from theft and fraud.
"Every organisation that collects, handles or stores card holder data must comply with its 12 requirements," explains Paul Foley, Head of Technology with Macquarie Pacific Funding.
That includes insurance brokers. "You hold a direct relationship with policy holders, so if you collect payment details from them, being PCI compliant will reassure them you handle their information with integrity."
The risk of card compromise
Here’s an example of how easily things can go wrong. A policyholder wants to pay their premiums by credit card in instalments, so you pass that personal and payment information to a premium funder on their paper forms.
Even though you’re not handling their data on your own paperwork, this process is within the scope for PCI-DSS because you are collecting unmasked cardholder data on paper forms, storing them temporarily in your own office and then passing them on to a third party.
"If a client is making a ‘card not present transaction’ (such as by phone or via your website) there is increased risk of data loss," explains Tim Alassad, Senior Manager - Business Payments with Macquarie Bank. "Internal fraud could arise from something as simple as a call centre operator writing down credit card details on a post it note and leaving it on their desk."
So what happens if that card data is stolen? Tim says it’s not uncommon in high-volume transaction sectors (such as retail or travel), and the fines could run as high as $100,000. "That could effectively wipe out a small business."
Neville Gollan, Director with Sense of Security – an IT security consultancy that helps Macquarie Pacific Funding ensure our solutions are PCI-compliant – agrees the financial penalties for non-compliance and sustaining a security breach where payment information is lost or stolen can be quite substantial.
"Your merchant facility could be withdrawn if the breach is substantial, which means you can't transact. There are likely to be extensive remediation costs in response to the security breach. And once that is all over, it is possible that your organisation will need to be assessed for compliance by a Qualified Security Assessor and undergo a more onerous level of compliance reporting, which can be a burden."
And of course there’s also the reputational risk. If customers need to get their cards reissued, they may think twice about trusting you again.
The outsourcing myth
If you’re thinking ‘but my service provider takes care of all that,’ think again.
"Business leaders are the custodians of this information," says Neville. "You can't outsource that responsibility – you need to understand whether your business processes, and any third parties you contract to, create a secure and PCI compliant cardholder data environment."
"We can provide peace of mind with our PCI-compliant solutions, like Macquarie’s DEFT for invoice payments, or MPPO to handle credit card payments through an insurance broker’s website," explains Paul. "But if you are also keeping those card details on a hard drive or server, or keeping paper copies in folders, it can be compromised."
Paul cautions that it’s important to use trusted providers if you’re investing in new technology to make the payment experience more seamless for clients.
"Right now, we are building secure digital distribution mechanisms in partnership with our PCI-DSS compliant vendors, and also modifying our internal business processes to ensure we continue to comply with these requirements.
People, procedures and technology
Compliance means making sure you manage risk in three key areas of your business:
- People can be the weakest link in the security chain. Staff need to understand the requirements and their responsibilities. Make sure you have a documented ‘incident response plan’ in place.
- Set up clearly defined processes for capturing, transmitting and storing cardholder data. Avoid email and paper trails (including faxes) to restrict physical access to the data.
- If you must store the data (and it’s best to avoid this) segregate the systems. For example, don’t store credit card details on the same server as your printer – it’s just leaving the door open for prospective hackers. Firewalls, antivirus software, encryption and robust password policies are all requirements of PCI-DSS.
Your PCI checklist
If you’re not confident you comply (or if you’re launching a new payment portal of your own) here’s a to do list to get you started:
- Check the PCI DSS categories to see which one you need to meet, and understand your obligations. Most MPF and Macquarie clients are Level 4, which means you need to complete a self-assessment questionnaire.
- Review your processes to see where cardholder data flows through your organisation, and who handles it.
- Ask yourself, "Do I really need to store the card number"? If you do, use a PCI Compliant provider that can tokenise and encrypt the card number – so in the event of a system breach no cards can actually be stolen.
- Check your service providers and their level of PCI DSS compliance.
- If you’re still not sure you meet all the requirements, it’s worth engaging a Qualified Security Assessor (QSA) to help you work out what changes you may need to make.
You’ll find all the resources you need on the PCI website. If you have any concerns about mitigating your payment risks, please talk with your MPF relationship manager who can connect you with a PCI subject matter expert.