Following news of the FatFace data breach, which included, among other records, the last four digits of the long number and the three digit security code of customers’ card details, it is clear that PCI compliance is not always achieved, despite UK laws that mandate it. The Payment Card Industry Data Security Standard (PCI DSS) focuses on protecting an individual’s card details, and specifies that a customers’ card details cannot be stored on your system following an individual transaction, helping to protect against financial fraud and theft in the event of a data breach. It also includes regulations for processing card details, be that through a physical terminal, or a virtual one.
There is a misnomer that your processing partner is responsible for the PCI compliance, but ultimately, the business taking the payment (i.e. your business) is the one ultimately responsible. It is therefore essential that you know and have checked the setup and don’t assume that your IT or telecoms provider has set it up for you.
You may believe that you are PCI DSS compliant, but the question is whether you are or could be storing this data, and breaching compliance. Here’s a checklist of things to think about, or you can speak to our team on 01453 700 800 to audit your systems for you to identify and fix any regulatory breaches…
Generally…
Make sure you have done all the basics when installing your system, including:
- installing and maintaining appropriate software and protections – a firewall, antivirus and anti-malware
- change all the default passwords supplied by the vendor to access any software or hardware
- design and restrict access to those who ‘need to know’ within the business, so that settings and systems cannot be changed and overridden by those without proper training and responsibility
- track and monitor all access which may involve a card transaction, without tracking the card transaction itself
- establish a policy and procedure, and regular testing and updates for your security protocols, ensuring that systems are always up to date and fully robust
- ensure that your process encrypts the transmission information so that it cannot be intercepted.
There are then some specifics that you need to do, depending on how your transactions are processed:
Your card machine connection
Typically, card machines are routed for processing via an isolated telephone line, via a 4G or 5G network, or via an internet router. Any of these points have potential vulnerabilities, and it is essential to ensure that securities are maximised to prevent a breach. Whatever your infrastructure, it is essential that your card machine connection is isolated from all other activities within your business, to prevent the data being intercepted and breached. This means:
- giving it a separate data connection within your business, away from any other activities
- networking a separate device to specifically handle the transactions
- using separate passwords and security protocols that are not available to any members of staff to change or update access
- having a process for maintaining the security aspects on the device, including software updates and the like.
Your virtual terminal connection
If you are taking payments online, via a virtual terminal portal, then it is essential that the same checks and balances are in place, as if you were physically processing the transaction on the card machine. Typically, users access a virtual terminal via a networked device, and an internet router, which unfortunately is the most vulnerable type of connection. It is essential that any card payments taken virtually are isolated from other activities, and completed on a standalone networked device exclusively for this purpose. This means:
- there is a single device responsible for taking the transactions, isolated from all other activities. That means no email, internet surfing, or software which might be vulnerable to viruses and attract issues such as keystroke loggers for example
- the router and lines are setup so that any payment transactions are handled completely separately from all other internet based activities. This helps prevent someone breaching your network and then using this vulnerability to capture your customers’ card details
- full security updates, always, so that the router and the device are never out of date.
Don’t forget your phones
It is common for businesses to record phone conversations for “monitoring and training purposes”, but doing so while taking card details is a breach of PCI compliance. If you have call recording, then you must have the capability to turn off recording during a phone call, and training to ensure that all your staff know how to do this, and do do this, always. Having a recording of your client’s card details is an offence, even if it is only temporary and deleted immediately.
Or your people
While it is not technically a part of your telecoms and IT infrastructure, your system users are often your weakest link. Make sure that you train your teams appropriately to follow the systems put in place, so that your security measures aren’t circumvented, and also provide each user with their own unique login ID to track what they are doing. It is also essential to ensure they’re not moving the data offline either – writing it down is a big no-no, even if it seems quicker at the time.
For stored card data
There may be instances where your business has a requirement to store card details on behalf of a client and this comes with its own challenges. The storage itself must be compliant, but the transfer of the data to and from that storage must also be robust and secure via your network infrastructure.
Ultimately…
PCI DSS compliance is all about the process of responsibility, management and due diligence to ensure that any financial transaction cannot be intercepted during or after the transaction occurs, and your customer’s details cannot be compromised. Often, businesses are concerned about the capital expense and management of separate devices, but non-compliance can attract fines between £3,000 and £60,000 depending on the scale and severity of the breach. What’s more, there is a reputational cost to not protecting your client’s data, particularly when the steps to do so are quite straightforward.
One final tip: don’t forget to check your supplier’s compliance to, to ensure that the data is secure once it has left your system and direct responsibility. It may not be your fault if there is a breach outside your network, but we doubt that your customers will see it that way!