A disturbing 61 percent of merchants in a recent survey were found to have unencrypted credit card data stored on their networks — specifically, the unencrypted 16-digit sequence on the front of credit cards, also known as the Primary Account Number (PAN). Even worse, 7 percent of businesses surveyed were storing full magnetic stripe data, including PIN, CVV, service code, expiration date and cardholder name in addition to the PAN.
These findings are especially troubling since the Payment Card Industry Data Security Standard 3.0 (PCI DSS) that went into effect in 2015 clearly stated that “protection methods such as encryption, truncation, masking, and hashing are critical components of cardholder data protection.” Indeed, such security measures play a critical role in achieving and maintaining PCI compliance. PCI DSS applies to every company that stores, processes or transmits cardholder information.
Regardless of the size or type of business you operate, the number of credit card transactions you process annually or the method you use to do so, you must be PCI compliant. Merchants who are not compliant can be held financially responsible in the event of a data breach.
It is important to understand that a data breach is not a limited, one-time occurrence. Once criminals have hacked into a merchant’s system, they leverage that access for all it’s worth, stealing unencrypted credit card data by installing malware that provides an ongoing feed of information via email and other electronic means. The criminal can then sell the data or produce fake credit cards that can be used for unauthorized transactions. This is why PCI compliance is required across all systems used by merchants, including those that actually handle card data, unrelated systems connecting to the same network and systems that can affect security like authentication servers, firewalls and web redirection servers.
One way to accomplish PCI compliance is to work closely with a payment processor that takes the matter seriously. TransFirst® collaborates with all its clients to ensure that they reach and maintain compliance. The first step is to complete a PCI Self-Assessment Questionnaire (PCI SAQ), which is a mechanism for getting the information about the level of your compliance to your merchant bank. A PCI scan is required if a merchant electronically stores cardholder data post-authorization or if the processing system is connected to the Internet. A PCI audit examines a merchant’s point-of-sale (POS), identifies vulnerabilities and institutes precautions to prevent data from being compromised.
For further protection, TransFirst offers its clients a data breach security program that helps meet the potentially crippling financial losses associated with a breach, should one occur.
Remember: You are ultimately responsible for making sure that your business is PCI compliant. TransFirst representatives can answer all your questions about secure management of credit card data and the many credit card processing solutions that are now available to meet your business and budget requirements.