A new ControlScan survey making the rounds of the financial press, showing that “one in four acquirers say that how they approached Payment Card Industry security standard compliance caused them to lose merchant accounts.”
As one ControlScan exec said, “Easing their merchants’ PCI compliance pain is certainly to the acquirer’s competitive advantage, but for risk reasons, it’s important to actually get the merchants compliant.” Because another large breach or hack — with your company in the middle of that unwanted news — will often irreparably damage another critical merchant relationship: That with customers.
Neiman-Marcus, for example, was ordered “to pay $1.6 million to settle a class-action lawsuit over a 2013 security breach that exposed the credit and debit card data of about 350,000 shoppers,” just this past week. So often the effects of such security lapses will linger for years.
Among the tips for easy PCI Compliance, as summarized by PC World, are:
- Don’t store Cardholder Data
- Choose a PCI Compliant Web Host
- Use a separate network to process payments
- Secure all mobile card readers
For that last bit of advice, the article suggests that “basically you should ensure the mobile devices are kept physically and digitally secure from theft, unauthorized use, malware, and hacking. Don’t jailbreak or root your device or enable other functions that can make the device insecure, like USB Debugging on Android devices.”
As we reviewed our earlier article on PCI compliance, we were struck by this update from GCN, a public sector IT journal. Their article mentioned public agencies which are increasingly geared to take credit card for payments — from taxes, to parking tickets, park use fees, and a myriad of other things. Among the reasons given for agencies to also become PCI Compliant:
- It protects citizens data, and reduces the risk of a data breach.
- It helps standardize security at different agencies, and even at different levels of government
- It can improve overall efficiency of dataflow
- It reduces the cost of an eventual data breach.