The payment card industry no longer accepts a “check the box” mentality when it comes to merchant adoption and verification of Payment Card Industry Data Security Standards (PCI-DSS) required for compliance. Recent years have seen an uptick in cybercrime, with most data breaches compromising credit card data and personally identifiable information.
Breaches of smaller organizations and municipalities are as common as large data breaches affecting big box retailers, hospitality chains, universities and the federal government. Smaller organizations are more susceptible to data breaches because of limited security controls, subject matter expertise and policies, procedures and governance.
According to Intel Corporation, small organizations report costs of breaches exceeding $100,000. Organizations without cyber liability insurance should consider adding it, but must give careful consideration to coverage exclusions when comparing plans.
While the transaction cost of credit card fraud was historically funded by credit card companies and passed along in fees, the burden is shifting to payment processors and merchants following the adoption of and enforcement of PCI-DSS in 2015 and its stronger controls. When a breach is suspected, a fraud investigation is initiated with forensic analysis and compliance verification required from the merchant to validate the security of the cardholder data environment.
Effective October 2015, U.S. merchants now bear responsibility for fraudulent transactions involving chip-embedded cards where card-swipe technology was utilized instead of a chip reader. EMV technology prevents point-of-sale eavesdropping and obstructs card counterfeiting accomplished using magnetic stripe data stolen in breaches. Despite previous resistance of chip technology in the U.S. due to high transition costs, card-swipes should be a rarity by 2020.
PCI-DSS requires all but the largest merchants to complete an annual Self-Assessment Questionnaire using an appropriate form aligned with their processing framework. Version D is the most comprehensive. Quarterly vulnerability scanning is also required with passing results certified and retained for compliance attestation. A higher level of attestation is required for service providers, level-1 merchants (6 million or more annual transactions), and any merchant suspected of breach activity resulting in an account compromise. Failure to provide compliance attestation may lead to monthly penalties, payment withholding and denial of service.
The following are recommendations for municipalities when dealing with PCI Compliance:
- Engage a qualified third party to assess the level of PCI compliance and identify specific gaps.
- Ensure IT personnel and the outsourced third party IT services providers understand the PCI requirements and are following the organization’s data security procedures required for compliance assurance.
- Review payment processing to ensure solution(s) selected are innovative, that utilize PCI approved and compliant technologies and that minimize the ongoing cost of PCI compliance attestation.
For more information contact Yogesh Patel at 770-285-2686, www.warrenaverett.com
or visit www.pcisecuritystandards.org