By Ian Lavis on behalf of Praxity Global Alliance
Failure to provide adequate payment card security could be costly for your organisation in more ways than one.
Poor online security doesn’t just put your company at risk of a cyberattack, it means your business could also fall foul of the credit card companies themselves.
Major card brands including Visa, Mastercard and American Express have a set of cyber security rules for merchants to abide by.
Organisations that fail to comply with these Payment Card Industry (PCI) guidelines risk hefty fines, loss of business and damage to reputation.
Fortunately, help is at hand from cyber security experts in accounting firms who can assist merchants to sure up their defences and achieve PCI compliance.
Rex Johnson, Cybersecurity Director at US accounting firm BKD CPAs & Advisors, says security specialists in accounting firms can help mitigate risk and provide peace of mind for consumers.
As a Qualified Security Assessor (QSA), Rex is certified to help companies understand the checks they need to do, and the vulnerabilities they need to address, to achieve PCI compliance and protect against cyberattack. “By not having these checks done, organisations are running a higher risk of their customers’ credit card data being compromised,” he explains.
The financial impact of non-compliance can be substantial. “It is not illegal to be non-compliant but card companies have the right to impose penalties ranging from $5,000 to $10,000 a month starting out,” Rex says. “The worst-case scenario is if one of the card companies tells a merchant it is no longer authorised to accept a particular card as a method of payment. If this happens, consumers are going to take their business elsewhere.”
Why you need to be compliant
The importance of PCI compliance should not be underestimated. Online payment is booming but the rise of e-commerce has spawned an increase in fraudsters targeting companies and individuals with inadequate security measures in place.
Credit cards are the most popular items sold on the dark web although stolen cards now sell for as little as $1 each. More sophisticated cyber criminals are increasingly targeting Card Not Present (CNP) transactions – the primary method for e-commerce payment – where no card actually passes hands.
Global estimates for e-commerce fraud losses range from $25 to $40 billion, according to the finance and risk blog Accenture.
To help fight the rising tide of cybercrime, the largest card brands got together in 2006 to launch the Payment Card Industry Data Security Standard (PCI DSS) – a broad set of security standards designed to ensure all companies that accept, process, store or transmit credit card information maintain a secure environment. The standards are managed by the PCI Security Standards Council (PCI SSC), an independent body launched by the major card brands.
The PCI SSC warns that a breach or theft of cardholder data affects the entire payment card ecosystem. It says: “Customers suddenly lose trust in merchants or financial institutions; their credit can be negatively affected – there is enormous personal fallout. Merchants and financial institutions lose credibility, and in turn, business. They are also subject to numerous financial liabilities.”
Companies that fail to comply risk substantial losses. The PCI SSC lists the potential liabilities as:
- Losses from fraud, legal costs, settlements and judgements
- Fines and penalties
- Lost confidence resulting in lost customers and diminished sales
- Lost jobs of senior people such as CISO, CIO and CEO
- Cost of reissuing new payment cards and subsequent compliance
- Termination of ability to accept payment cards
- Going out of business
How to achieve compliance
It makes sense to be compliant, not just to avoid losses but to protect against cyberattack. The measures you need to implement will depend on how many transactions your organisation handles.
There are four levels of compliance:
Level 1 – Over 6 million card transactions per year
Level 2 – between 1 and 6 million transactions per year
Level 3 – 20,000 to 1 million transactions per year
Level 4 – Fewer than 20,000 transactions per year
All levels except Level 1 must complete a self-assessment questionnaire (SAQ) and, depending on how they process payment cards, may also require a quarterly external vulnerability scan using an Approved Scanning Vendor (ASV). Level 1 merchants are required to have the Report on Compliance (ROC), which must be performed by an external party and QSA company. Level 1 must also have the quarterly vulnerability scans from an ASV.
Some of the items reviewed in the PCI assessment include protecting the payment card information. This means the card number is masked when stored or when printed on the receipt, showing only the last four digits of a card. Other methods include providing good segregation of duties, allowing only those with a business need to have access to the card processing environment.
Even while maintaining PCI compliance, there are things that organisations can do to help further reduce their payment card risk.
“Several have moved to a model that sends the card information directly to the payment processor, meaning the card information is not stored on databases on premises. When reoccurring payments are required, tokenization can provide a means to allow companies to continually process these transactions without requiring the organisation to store the card number. Some of these methods can reduce the scope of a PCI assessment, allowing these to be completed more efficiently,” Rex explains.
It’s important to realise that PCI compliance is a continual process of assessment to identify vulnerabilities, fix vulnerabilities and eliminate data storage where necessary, and report to the appropriate acquiring bank and card brands.
The PCI SSC points out: “Many organizations treat compliance as a one-time, annual event. But only focusing on an annual compliance assessment can create a false sense of security. Forensic investigators have discovered that security controls deployed by organizations that had passed an assessment were often out of compliance when breaches occurred at a later date.”
To ensure you take the right steps towards compliance, Rex Johnson stresses the importance of working with QSAs and ASVs certified by the PCI Security Standards Council.
One option is to work with certified accounting firms within Praxity Global Alliance, the world’s largest alliance of independent accounting and consulting firms.
BKD and other QSA or ASV certified firms work together to share expertise best practice to help clients achieve PCI compliance wherever they are in the world.
“Praxity provides a forum where Partners and MDs get together and share information,” Rex adds. “When we have a client that has a need for an ASV, for example, we will reach out to a firm within the Alliance offering that service.” This allows merchants to access all the help they need to achieve compliance from just one point of contact.
With cyberattacks rising in number and scale, it’s not only advisable that merchants work towards PCI Compliance, it’s essential to avoid potentially substantial losses and damage to reputation. Your accounting firm can point you in the right direction.