It is becoming increasingly apparent that all businesses need to be attentive to (and respectful of) the security of the data they collect - especially payment card information. With Facebook recently being handed fines that totalled $5 billion for certain lapses in their data protection practices, this is clearly not something to be taken lightly.
As a matter of fact, both consumers and the legal system have had a raised awareness concerning the privacy of the data that businesses collect. If a business doesn’t protect their clients and customers, their employees, or their vendors, it is flirting with the risk of serious litigation. No industry is safe, as long as you accept credit cards you are at risk, from CPAs, to medical professionals, even if your customers aren’t human.
This is especially the case when credit card information is concerned. Businesses that accept credit cards are beholden to the Payment Card Industry Data Security Standard, also known as the PCI DSS. The PCI DSS assists businesses in avoiding the liability that would come from a data breach.
The Three Steps to PCI DSS Compliance
In order for your business to be compliant to PCI DSS, there are three critical activities that you have to continuously carry out. They are:
Assessment
How would you know if your technology could potentially put cardholder security at risk, if you didn’t assess it? Running an assessment is an effective way of identifying an issue that could get in the way of PCI DSS compliance. There are multiple ways of assessing your technology, including self-administered questionnaires, and official tests performed by qualified assessors. It may be in your best interest to invest in both to ensure that all is attended to.
Remediation
Any vulnerabilities that are revealed during the assessment need to be fixed, as they will interfere with your compliance to PCI DSS. It often helps to bring in a technician with plenty of experience, such as the ones here at Dresner Group. In addition to fixing vulnerabilities, this is an opportune time to remove any unnecessary cardholder credentials and details.
Reporting
Once you have resolved the issues that were revealed in your assessment, you need to have your remediation records and compliance reports submitted to the appropriate banks and credit card processing centers. If a business in Maryland intends to accept and store credit card details, a secure and functional system needs to be reported.
What Happens If I’m Not Compliant?
As more focus is directed to privacy, data breaches and lapsed compliance become a bigger deal, with more severe consequences associated with them - particularly in Maryland. The Maryland Personal Information Protection Act puts the brunt of the responsibility on your business to protect clients whose data was breached.
Furthermore, there are quite a few additional consequences to account for as well:
- You could easily be liable for damages wrought due to the theft of data
- Your customers and clients will likely lose their trust in you, switching to other merchants and providers
- You may have to pay the cost to reissue new cards
- You may be responsible for offsetting losses due to fraud
- You may find it more expensive to achieve compliance after the fact
- You could be on the hook for legal costs and settlements
- You will have to pay assorted fines and penalties
- You may lose the ability to accept credit cards, which most consumers prefer to use
- You and your team could lose their jobs, from the C-suite to the entry-level
- You could potentially go out of business
Naturally, none of these outcomes are good, so you need to make sure you can avoid them by being compliant to the rules laid out by PCI DSS. Dresner Group can help - we are familiar with the rules and regulations regarding PCI DSS and can help your business remain compliant. Reach out to us at (410) 531-6727 to discuss your needs.