PCI compliance is on the lips of every business owner who accepts credit card payments.
There are no magic bullets, unfortunately, to achieving compliance. One must be aware of the data-related security needs, as well as the physical needs of data security we discussed previously. However, being PCI compliant does not necessarily mean one is safe from attacks. As recently pointed out in Supermarket News, a compliant supermarket chain recently saw their data compromised through the introduction of malware on their computers.
The question must be asked, then, what do I do to not only be PCI compliant, but to actually protect data from theft? The short answer is, understanding. There was a time when business owners did not necessarily need to understand how data was stored or maintained, or how potential vulnerabilities could be exploited. Management of technology was left to those few who understood how the network worked, or, in some cases, an employee who exhibits proficiency with current technology. The time when business owners could ignore the influence of technology has passed and, now, not understanding how such a significant portion of your operations functions is tantamount to surrendering control of your business to those who do.
The first step in understanding and, further, securing the data moving through your business is to understand how your business’s network operates. The network itself is simply shorthand for the communication that occurs between computers. Generally, there will be a server, a computer that is more powerful than the others and is dedicated to processing credit cards and running the software that makes everything else work. This computer receives and distributes information to the other computers and/or terminals via the network. Network security is too big an issue to effectively address here, but, suffice to see, those lines of communication between server and ancillary terminals/computers and the server’s subsequent communication with the internet must be protected. If you want to pursue the specifics of how your network operates, talk to your information technology administrator or contact your software or hardware dealer, and ask some questions!
Also, know the software that is running in your business. Know the brand, know it’s basic programming functions, know how it transacts credit card data. You may have employees dedicated to maintaining your data infrastructure, but understanding the fundamentals of what these employees do gives you, at minimum, a common language to discuss any potential problems. For example, if you operate a restaurant and use POSitouch, it simplifies matters if you understand that a program called spcwin.exe is what makes the rest of the terminals operate. You may decide to learn everything you can about the software you’ve purchased, and that is certainly a worthwhile goal, but even understanding the core basics can give you the ability to determine potential security issues. Knowing how the data flows, how it is stored and how it is ultimately resolved makes you more than PCI-compliant – it means that you can anticipate data breaches because you understand where and how potential data leaks can occur.
Obviously, you, as the owner or manager, have a business to run, and no one is expected to understand every detail of the technology operating in the business (unless they are hired to do just that!), but taking the time to understand the fundamentals gives you a command of your business that few owners have. With technology integrating further into every aspect of operations, knowing a little now can inform decisions later, and, most importantly, allow you to manage your business more effectively and securely for your customers.
How Credit Card Processing Works (And What You’re Paying For)
Securing the Store: How Your POS System Can Make Your Data Safer!
Decoding PCI Compliance: First Steps