Protecting Customer Payment Data: June Deadline For Meeting Stricter PCI DSS Rules

While technology has made it fast and easy to process debit and credit cards for customer payments in person, by phone and online, it can also leave companies and their customers vulnerable to data breaches and other hacking. To safeguard card user information, the major payment card association brands (Visa, MasterCard, American Express, Discover and JCB) created the Payment Card Industry Data Security Standard (PCI DSS).

With a June 2018 deadline for implementing a new round of tighter security measures, PCI DSS is a complex and evolving set of technical and operational practices for vacation ownership companies, healthcare organizations, financial servicing firms and any other merchants or service providers that store, process or transmit payment card transactions. There also are PCI DSS standards for manufacturers of card payment devices and software developers that build applications for payment cards, including smartphone-based digital wallet applications.

While PCI DSS is generally voluntary, some states, including Minnesota, Nevada and Washington, have passed laws that require PCI DSS compliance for organizations that handle credit card data. Furthermore, the major card issuers also expect companies to adopt and stay current with PCI DSS or face possible fines and other penalties, especially in the event of a data breach.

As data security threats continue to escalate, so do the PCI compliance requirements. New rules that add layers of security, first published in 2016, must be in effect by June 30, 2018. They include such changes as migrating to more secure encryption protocols, establishing multi-factor authentication for company employees that have access to customer card data, and adhering to new rules about displaying card numbers.

There are actually four PCI DSS levels based on a company’s volume of card payments. Level 1 is the most stringent and is required for companies that process 6 million card payments or more a year. In addition to regular network or web site scans done by an Approved PCI DSS Scanner, Level 1-compliant solutions, like those offered by Nordis Technologies, undergo an annual onsite evaluation by a PCI Security Standards Council-approved Qualified Security Accessor to ensure they are following the proper procedures and best practices.

Given the time, effort and money involved in complying with PCI DSS and staying up to date, some organizations are shifting cost and risk to a third-party hosted payment solution that also enables them to offer more flexible payment options/channels including mobile, digital, phone and mail.

Of course, not all payment solutions offer the same level of protection or customer features. Companies certified as PCI Level 2, for example, can store credit card information but cannot process recurring payments.

When selecting PCI DSS Compliance tools, other security and privacy considerations also come into play, including HIPAA compliance for healthcare organizations. The American Institute of Certified Public Accountants also set standards, known as Service Organization Controls, used for auditing how companies handle customer data. SOC 1 focuses on the controls of companies hosting financial information that could affect a client’s financial reporting. SOC 2 audits involve companies hosting or processing information for clients that do not impact their financial reporting, such as customer payments.

From our online bill presentment and payment solution ExpressoPay to our full Expresso customer communications management software suite and print and mail services, Nordis takes security and privacy extremely seriously. In addition to offering payment solutions that are also PCI Level 1 and HIPAA compliant, we are audited annually for the broader, stricter standards of SOC 2 which attest to the quality of controls that directly relate to security, availability, processing integrity, confidentiality, and privacy at a service organization.

Source: Sophos Security plc