Revealed: SMEs’ PCI mistakes

The Payment Card Industry Data Security Standard (PCI DSS) has protected countless businesses over time from exposing sensitive cardholder data. Not only have the policies and procedures been designed to improve the security of IT systems managing and storing this data, but those who comply will normally be shielded from financial liability should a breach occur.

It should be a no-brainer but many SMEs fall short of full compliance either because they find the requirements too onerous, or are misinformed about what PCI DSS actually entails. At Worldpay we’ve helped hundreds of our clients become compliant, but we’ve also seen plenty of examples of bad practice.

Here are the top five, in no particular order.

PCI DSS doesn’t apply to me

Many SMEs think that just because they “outsource” their payments to a third party provider and/or use SSL that they don’t need to consider PCI DSS. The truth is that PCS DSS applies to all businesses that hold a ‘merchant’ account with a card processor. Even if outsourced you still need to monitor the security compliance of your third party providers. For example, even if another firm securely hosts your website’s payment pages, you could still be attacked and customers diverted to a fake payment page instead of your real one. What’s more, SSL certificates only protect data in transit, therefore any data residing on a payment network is still a security issue.

I manually enter my customers’ card numbers into my card machine at the end of the day

Some SMEs, especially those smaller ones with fewer resources, may have had their website designed by a friend or relative merely to capture card details. They then enter these card numbers  into a card machine each working day to process payment. Unfortunately, this is the most insecure and non-compliant way of processing internet payments. In fact, it is so non-compliant it even breaks rules outside of PCI.

Never take payments this way. Speak with your card processor immediately about how to  rectify the situation.

I have no idea of the value of the data I am storing

Any payment data is valuable to hackers and if it can be stolen in combination with email addresses, postal addresses or telephone numbers then all the better. Remember: the majority of data breaches occur in the small and medium sized business space. As an SME owner you are responsible for the security of your customers’ card data. This means that if your company has a data breach then you’re liable to pay for the investigation and in some instances even to repay some of the costs of any resulting fraudulent transactions.

Sensitive card data – which includes the 3-digit security code or magstripe information – must never be stored once the payment has been successfully authorised. If you need to make a future payment you must ask the customer for the 3-digit security code again, and don’t store it after processing. If you are a hotel the rules are slightly different so please contact your card processor for advice on this one.

I delete old records containing payment information

Deleting a file only earmarks it for overwriting at a later date – that file still exists on your computer, potentially for many years. When hackers get into your systems they look for these files and can retrieve years’ of data in one hit. There are software programs available that will help you properly delete files containing sensitive information.

I’m no information security expert so I have no idea where to start

Few people are. Speak with your card processor as a first port of call. They should have a PCI DSS team and programs designed to help you become compliant. Remember: don’t wait until you have a data breach to look further into PCI DSS. Protect your business and your customers now.

Are you an existing Worldpay customer? Refer a friend and get a £100 Amazon voucher.