If your organization fails to comply with PCI standards, the costs can be huge. Not only do you lose valuable customer trust, credit card companies can fine up to $10,000 per month until your organization reaches PCI compliance. And in the event of a data breach, the financial damages are even worse. You could be held responsible for paying the bank reversal charges for each customer’s loss, and may even end up on the wrong end of a lawsuit.
That’s why it’s crucial to avoid these common PCI compliance mistakes.
Incorrectly Determining Your PCI Scope
Identifying your compliance scope means evaluating which people, processes, systems and technologies come into contact with sensitive payment information. By determining all the moving parts of your organization that interact with credit card information, you can then decide where you need robust security measures and eliminate gaps in your defense.
Determining your PCI compliance scope can also help you take strategic measures to reduce your scope—that is, eliminate touchpoints where your organization interacts with cardholder data. The safest bet to reduce your PCI compliance scope is to use a PCI-validated point-to-point encryption (P2PE) solution that immediately encrypts card data upon swipe, dip, tap or key into the payment terminal.
Filling Out the Wrong PCI Compliance Self-Assessment Questionnaire
A common error that smaller organizations make is filling out the wrong compliance self-assessment questionnaire. There are several types of self-assessment questionnaires (SAQs) for PCI compliance — but if you choose the wrong one and use it as a guideline for your security measures, this can lead to gaps in your defense.
Be sure to read carefully when choosing your self-assessment questionnaire. If you can’t decide which one is right for you, contact your acquiring bank or payment card brand for help. Note that if you do adopt a PCI-validated P2PE question, you qualify to fill out the SAQ P2PE, which is limited to 33 questions.
Failing to Create a Defense in Depth Strategy
PCI compliance isn’t just about using PCI-validated technology — it’s about creating an entire security system. In addition to encrypting your payment data in-flight with P2PE, you also need to ensure that card data you store for future use is tokenized. Also, it’s important to protect your overall network, not just your data, so ensure that you have installed the proper firewalls and antivirus software, perform regular patch updates, and properly lock and store physical files and access controls to protect your data from a breach.
Neglecting to Train — and Update — Employees on Cybersecurity
Human error is the cause of almost half of data breaches, according to one study. Losing documents or devices, working remotely on an unsafe network, or falling for a phishing scam are all ways that even the most well-meaning employees can put your data security at risk.
It’s important that your employees are regularly trained on cybersecurity best practices such as proper tracking, strong password creation, and how to spot phishing emails.
Bad Tracking Habits
Tracking cardholder data may be tedious, but it’s a crucial component of data security. Not only does it help you backtrack in the event of a breach — tracking can also help you avoid PCI compliance mistakes altogether.
Map the journey of credit card information as it travels through your organization, from points of entry to where the information is stored and why. With thorough tracking, you can identify areas where data could be breached or where PCI compliance is violated, then proactively eliminate or protect it with defense in depth measures.
Get PCI-Validated Solutions for Your Organization
If you accept credit card payments, you are required to maintain PCI DSS compliance. We’re here to help.
Bluefin specializes in PCI-validated point-to-point encryption (P2PE) and tokenization solutions to protect payment and PII/PHI data. With Bluefin’s solutions, sensitive information never traverses your system, so that if a breach does occur, hackers get nothing.