accesso Blog Series: Protecting Guest Payment Cards and PCI Compliance.

**accesso** Blog Series: Protecting Guest Payment Cards and PCI Compliance.
As Pci Blog Banner 8 29 17

Have you ever expe­ri­enced cred­it or deb­it card theft? If so, you know the com­pli­cat­ed series of emo­tions that fol­low: con­cern, fear, anger and inevitably a lot of frus­tra­tion as you deal with clos­ing your card and open­ing a new one. It can be exhaust­ing, and when it’s all said and done, not an expe­ri­ence that you want to repeat. Some­times it’s tempt­ing to play detec­tive and fig­ure out where the theft occurred in the first place. When a store has lost your trust in this way, do you think you would be inclined to return?

Pay­ment data secu­ri­ty is the cor­ner­stone of trust between mer­chants and cus­tomers, and once this trust is breached it is hard to get back. Card­hold­er data is valu­able to thieves that want to steal it for fraud­u­lent pur­chas­es. Often we only think about the imme­di­ate dam­age, but vic­tims of cred­it card fraud may not be aware until it is too late. Once this per­son­al infor­ma­tion is com­prised, they can poten­tial­ly face years of dam­age and defama­tion with cred­it report­ing agen­cies. Cus­tomers want to be con­fi­dent that their data is secure, so mer­chants must be dili­gent to ensure that they process secure, com­pli­ant pay­ment card transactions.

Whether you are a ski resort, muse­um or zoo, it’s impor­tant to remem­ber that if you are accept­ing card pay­ments from guests, you are also a mer­chant — which means the duty to pro­tect this infor­ma­tion falls on you! This can seem like a daunt­ing task, espe­cial­ly if you have mul­ti­ple point-of-sale (POS) ter­mi­nals, but luck­i­ly, there are indus­try stan­dards designed to help. Fol­low­ing these stan­dards means you are PCI (or pay­ment card indus­try”) compliant.

Bigstock 163859549 Resized

If you’re not famil­iar with PCI com­pli­ance, here is a quick overview: PCI com­pli­ance relies on stan­dards designed to pro­vide pay­ment card data secu­ri­ty. The stan­dards, known col­lec­tive­ly as PCI Data Secu­ri­ty Stan­dard (PCI DSS), include a series of com­po­nents such as infor­ma­tion on pre­vent­ing and detect­ing secu­ri­ty inci­dents. The PCI Secu­ri­ty Stan­dards Coun­cil, a glob­al orga­ni­za­tion focused on Pay­ment Card Indus­try Secu­ri­ty Stan­dards, devel­ops these stan­dards. They are used by soft­ware ven­dors to help devel­op secure appli­ca­tions as well orga­ni­za­tions in their day-to-day operations.

It’s impor­tant to give your guests the con­fi­dence to spend freely at your loca­tion, from the admis­sions win­dow all the way to the gift shop, but did you also know that fol­low­ing PCI secu­ri­ty stan­dards helps you avoid sev­er­al seri­ous lia­bil­i­ties? These include: 

  • Costs to reis­sue new pay­ment cards
  • Legal fees
  • Fraud loss­es
  • High­er com­pli­ance costs
  • Non-com­pli­ance fines and penalties
  • Ter­mi­na­tion of abil­i­ty to accept pay­ment cards
Bigstock 173928958 Crop Resize

What can we do to achieve and main­tain PCI com­pli­ance? The biggest respon­si­bil­i­ty of mer­chants is to pro­vide a secure envi­ron­ment. There are sev­er­al oper­a­tional steps that you can take to ful­fill this goal, and you may have already put these mea­sures in place. First, it is impor­tant to make sure that your sys­tems are reg­u­lar­ly updat­ed with the lat­est mal­ware pro­tec­tion. Any sys­tem that touch­es card­hold­er data, whether it’s an employ­ee com­put­er or a point-of-sale (POS) ter­mi­nal should be includ­ed. Sec­ond­ly, when you are set­ting up your POS ter­mi­nals, you should set up indi­vid­ual log-ins for each user, and lim­it the num­ber of users who have access. The PCI Secu­ri­ty Stan­dards Coun­cil also rec­om­mends that orga­ni­za­tions cre­ate an infor­ma­tion secu­ri­ty pol­i­cy doc­u­ment that makes your goals and pro­ce­dures trans­par­ent and holds every­one accountable.

You can also sup­port PCI com­pli­ance by work­ing with soft­ware devel­op­ers who pro­vide secure pay­ment appli­ca­tions for your card pro­cess­ing net­work (both pro­cess­ing and autho­riza­tion). If you rely on a POS envi­ron­ment to sell to cus­tomers, you will want to make sure that you are using a secure net­work across all of your POS ter­mi­nals. Did you know that there are sys­tems avail­able that can main­tain cred­it card hard­ware and soft­ware in one secure net­work? As an added bonus, these sys­tems can elim­i­nate the need for man­u­al pay­ment rec­on­cil­i­a­tion, sav­ing you time and pre­serv­ing accu­ra­cy. Look for a provider that allows you to place secu­ri­ty and access con­trols around stored data, and has this infor­ma­tion encrypt­ed. If you aren’t sure if your cur­rent provider offers these secu­ri­ty fea­tures, just ask!

You can learn more are about PCI DSS by ref­er­enc­ing the PCI DSS Quick Ref­er­ence Guide pro­vid­ed by the PCI Secu­ri­ty Stan­dards Coun­cil. The Coun­cil also offers webi­na­rs on a vari­ety of top­ics of inter­est includ­ing reduc­ing the risk of a data breach, Data Secu­ri­ty Stan­dards, and more. If you have ques­tions about how our acces­so solu­tions sup­port PCI com­pli­ance, please con­tact us here.

Aman­da Swion­tek — Tech­ni­cal Writer, acces­so Siriusware

Aman­da is an Ari­zona native who cur­rent­ly resides in Orlan­do, Flori­da. With over 20 years’ expe­ri­ence in tech­ni­cal com­mu­ni­ca­tion, Aman­da was thrilled to join the acces­so team in 2016. When she is not chas­ing around her two dogs, Aman­da is the lead vocal­ist in a rock band, grad stu­dent at Ari­zona State Uni­ver­si­ty, Ari­zona Car­di­nals fan and mak­er of a very secret fam­i­ly recipe of spicy, slow-roast­ed home­made salsa.