Yesterday, we discussed new guidance from the Payment Card Industry (PCI) Security Standards Council (SSC), which, among other things, sought to define whose responsibility it is when cardholder data is left vulnerable to external attack. Ultimately, PCI SSC found that merchants and the third-party service providers they contract to offer credit card processing services share the burden here, and both parties must coordinate knowledge to protect cardholder data.
For many merchants, this may mean a fresh perspective on the threats of payment security. Whereas some may have been comfortable leaving security matters to their third-party provider to manage, most now have to bring themselves up to speed on the particulars of PCI compliance.
As we suggested yesterday, the best way to become familiar with compliance standards is by establishing a partnership with a trusted credit card processing company that is staffed with experts who can educate you on the ins and outs of regulations and responsibilities. However, some independent research also won’t hurt.
The consequences can be severe – including fines and penalties against merchants who don’t comply. But there are resources that offer help – the most notable of which is the PCI SSC itself.
On its website, the council offers a general breakdown that advocates a three-pronged approach for compliance adherence. That involves assessment, which involves the evaluation of risks, remediation, which describes business’ attempts to fix these vulnerabilities and reporting, when businesses communicate the results of the process to the acquiring bank and card brands.
That resource also offers links to requirements mandated by specific bank card providers, which can provide even more specifics for merchants.
Experts suggest that it’s not only important to learn this information, but also to keep it on hand for future reference. Drafting policies and procedures that are readily available to managers and staff can ensure that the proper security steps are communicated throughout the company.