| PCI-DSS: The Cost of Security is not Expensive |
Can you afford not to accept credit cards in your store? NO!Can you afford costs in excess of $50,000 if your system is breached? NO!Can you afford security? You can't afford to NOT have a secure system!
If your credit card data is compromised, you will be held responsible for the loss as well as hefty fees and fines. At risk are direct costs of compromised transactions, penalty fees and the costs of a forensic audit that costs at least $40,000 to $50,000. For most independent retailers this cost alone can be crippling, to say nothing of the cost in terms of customer confidence.
If you process more than 20,000 ecommerce or I million total credit card transactions a year it is currently required that you complete an annual Self Assessment Questionnaire (SAQ) as defined by the Payment Card Industries Data Security Standards (PCI DSS). If you process less than those thresholds, you are a Level 4 retailer but are still responsible for maintaining a secure system. It is recommended that you complete the annual Self Assessment Questionnaire (SAQ) at the minimum, although one may be required by your Acquiring bank, if not now, sometime in the foreseeable future.
Admittedly, when first reviewing these documents and requirements they can be daunting. But the fact of the matter is that it boils down to common sense and reasonable protection of electronic data that every business should have implemented anyhow.
Pay Now or Pay Later A core objective of the PCI Data Security Standard is to help organizations proactively secure themselves against the possibility of a security breach and the inherent liabilities at risk. It is important to fully understand that the exposure could cost a retailer their business. Being completely unaware or ignoring this risk is well illustrated by the truly heart wrenching story illustrated in a video available at http://www.mercurypay.com/go/rspa/ - this independent retailer was completely caught off guard. This video will scare you more than the best (worst?) horror film ever made and is especially frightful if you haven't yet begun to protect yourself.
Fear tactics aside (though I hope it worked), a tragedy like this can be avoided with minimal cost. The good news is that the hard costs are not large. The biggest cost is in self-education - understanding how to best protect your organization.
Yes, This Applies to You One of the things to understand is that security is not a one-time event. Even if you did everything to protect yourself and were completely certified, your security status could change the next day. And if you were breached you could still be liable for thousands of dollars in fees, penalties, and forensic audits.
Frankly, one could have the budget of the National Security Administration (NSA) and still never be 100% sure of being protected. But staying ahead in the security game is like being chased by a tiger: you don't have to outrun the tiger, just the poor fellow running next to you. And as more and more companies become conditioned to outrun the fellow next to them you have to make sure you aren't the one lagging behind.
Just like preparing for a marathon you can start to improve your security a little at a time. What is important is that you start. And once started, each progressive gain will be easier, and before you know it you will be in great condition to stay well ahead of the hackers.
In related articles we will provide suggestions and education on various security issues that you need to consider. A good many of them are very simple and inexpensive to implement – and every step you take will help put you one step ahead in the race. This series of newsletters will take you progressively through the steps that will help prepare you to complete your Self Assessment Questionnaire (SAQ) and pass with flying colors.
PCI Data Security Standard Terms & Definitions
PCI-DSS: Card Retention Options and SAQs
PCI-DSS: Security – Password Protection
PCI-DSS: Securing your Network
|
