How do I protect customers’ credit card details?
Q: My business has been selling fashion accessories online for three years and we have never had any major problems with protecting our customers' credit card information. However, I want to make totally sure we're not breaching the latest PCI standards. What are the risks my company faces if we are found to be in breach of the guidelines, and what can I do to ensure compliance?
Jonathan Gale, CEO, NewVoiceMedia answers:
In March 2011, the Security Standards Council issued new guidance on the Payment Card Industry Data Security Standards (PCI DSS), which states that a business should handle and store customers' credit card information in such a way that it is no longer accessible post purchase, to avoid fraud. Given that your business is primarily web-based, it's crucial that you use an established payment platform (such as Verified from Visa) to securely handle the entire transaction, as well as the storage of credit card information.
But if you also handle credit card payments from customers over the telephone, for example to process returns, then like many UK businesses, you could be at risk from failing to meet the PCI guidelines. Security has been tightened recently to reduce fraud through face-to-face and e-commerce transactions, with tools like Chip and Pin and Verified from Visa, so criminal attention has turned to telephone sales, which are considered more accessible to fraud. Failure to adhere to the PCI DSS guidelines for phone card transactions is leaving many businesses vulnerable to fines, fraud and data breaches. The penalties are high – merchants can be penalised up to £125,000 per breach plus additional charges per account reissued, and have their services suspended. Moreover, the damage to brand reputation and adverse PR will have a long term impact on customer confidence long after the fraud has ended.
With cloud computing solutions, the entire transaction process can be automated to remove the human element, and reduce the risk of agent fraud. Call recordings can be managed to ensure that sensitive card information is stored in a manner which cannot be accessed at a later date, but still complies with FSA standards. Callers are presented with an interactive voice response (IVR) option so they can provide their card details securely via their telephone key pad. The customer's information is processed automatically and securely throughout the payment.