In the last article on PCI compliance (see PCI compliance 101 – March newsletter) we talked about needing to keep your PCI compliance house in order. In this article we take a look at some of the complexities of the process.
The requirements to protect credit card information span people, processes and technology. Let’s look at these angles. Even if you don’t use computers or the Internet to process credit cards, cards can still be “skimmed” in your store with a small battery operated credit card reader, via a cell phone picture of the card, or with an imprint on a piece of paper. Or let’s look at the processes angle. Perhaps you have a process to print out (or save as PDF) batches of credit card postings or credit transactions. Then you have a back up process to take your important files offsite. Suddenly your processes have exposed you to credit card theft at another location. And with technology, you’ve probably granted someone from tech support remote control of your computer, but what if someone has the ability to control and steal from your computer without you knowing? Uh-oh!
The PCI compliance process is not a beginning – middle – end effort. It requires constant effort and vigilance to keep up with threats coming from different angles.
Did they make compliance instructions specific and vague at the same time? In the next article we’ll look at how requirements can be interpreted and ways to save big dollars on a successful compliance program.