Blog

You hear about them all the time — credit card data security breaches in Yahoo, Target, LinkedIn, and other large, established companies that serve millions of people. Surely with so many users, one can assume that they have the biggest targets on their backs when it comes to hackers.

In reality, it’s the opposite.

Myth: Big businesses are more likely to get hacked.
Reality: Small businesses are more vulnerable than big businesses, making them the perfect victims of hackers.

Oftentimes, a hacker’s goal is to steal credit card info not to commit fraud themselves, but to sell it to distributors that produce fake credit cards with those numbers. Some hackers may challenge big businesses, but the everyday hacker knows that small businesses are the easier targets, as they don’t always have the knowledge needed to properly secure their information. Sometimes, these businesses don’t even know they’ve been hacked, and the attack is left unreported.

Understandably, understanding the best security solutions can be complicated. That is why the Payment Card Industry Security Standards Council was formed — to guide and educate businesses to better protect themselves from security threats. So, if you run a small or medium-sized business, it’s imperative that your security is PCI compliant.

WHAT IS PCI COMPLIANCE?

PCI Compliance refers to upholding the standards set forth by the Payment Card Industry Security Standards Council. This includes properly guarding stored credit card data with encryption, which converts information into a code that is difficult to decipher for intruders.

Though there is no official “badge” indicating PCI compliance, as more security breaches happen every year, credit card companies may be obliged to issue mandates for them. Getting your business PCI compliant will get you ahead of the game, and encourages confidence and trust in customers who become wary after just one violation of privacy.

If your business accepts credit cards, you’re obligated to be PCI compliant regardless. Otherwise, you may be fined $5,000 to $500,000, depending on the offense, and as a small or medium-sized business, you’ve got more to lose. With just one fine, you could be blacklisted on Visa or MasterCard sites, never able to accept credit cards again, or put entirely out of business.

WHAT IS NOT PCI COMPLIANCE?

Businesses foregoing PCI compliance oftentimes do so because they feel their method of storing sensitive information like credit card numbers is “secure” enough with a password. With personal computers and online accounts all following more or less the same login process (a password of some sort, sometimes coupled with an authentication question), it’s not a surprising sentiment. But even if you may choose to exercise the password protection feature in Quickbooks, passwords are not PCI compliant. With just a password, there is only one thin wall of protection to bypass before reaching your customers’ private credit card numbers. Not only hackers but disloyal employees are absolutely capable of breaking down this wall. More needs to be done.

Luckily, businesses can easily become PCI compliant by using tokenization, encryption, and PCI compliant payment modules that act more than just an inferred seal of approval.

HOW TO BECOME PCI COMPLIANT

Point-to-Point Encryption

Point-to-Point encryption, or P2PE, is a payment security solution that encrypts credit and debit card numbers, protecting against hacking and fraud and allowing payments to process faster. It is a standard set for PCI Compliance, unlike End-to-End encryption, or E2EE. When a card is used, the numbers are encrypted instantly in a code that is unreadable to everyone, then sent to a secure online vault. If there is ever a need to go back to a previous transaction, you can use a token, a string of numbers generated to label transactions while keeping the customer’s card information unseen. Furthermore, you will not be held responsible for security breaches or resulting fines — it’s the P2PE provider’s duty to keep you safe.

Payment Modules

Payment modules are online card payments methods. While convenience is one factor in implementing payment modules, they also protect against potential security threats from both outside and inside company. If for whatever reason an employee goes rogue, they will not have access to any sensitive credit card information because everything is encrypted and stored in an online vault, not on a computer or server.

—–

The number of businesses falling victim to a security breach rises every year. Don’t become one of them — become PCI compliant.

If your business accepts credit cards, you will likely need to store credit card numbers for the convenience of your customers performing repeat transactions. However, choosing the right security method is a daunting task with its technological jargon and various available options. PCI compliance guidelines do help somewhat in navigating the process, but understanding what they’re asking for and why is essential in making the right decision.

WHAT IS TOKENIZATION?

Tokenization is the substitution of confidential data with a randomly generated symbol, or token, that has no meaning or value. It is typically used for static data like credit cards or social security numbers, and is a strong candidate for small databases that don’t require sending and receiving data. However, once your business scales and the amount of information you must protect grows, tokenization alone isn’t your best option.

WHAT IS ENCRYPTION?

Encryption is the transformation of information or data into an unreadable code to allow authorized parties to view and prevent unauthorized intruders from viewing. It is best for businesses with larger databases and third parties because it uses an encryption key that keeps the information decipherable only to the keyholders.

To protect credit card data and become PCI compliant, numbers must be properly encrypted. There are two ways to encrypt data: end‑to‑end encryption and point‑to‑point encryption.

END-TO-END VS. POINT-TO-POINT

End-to-end encryption, or E2EE, encrypts data from one end to the other. Both parties (for example, your business and your customer) are the only owners of the keys able to decipher the encrypted information, similar how two friends may make up a secret language that only they understand and have a “language dictionary” for.

Since there are only two parties that hold the keys that presumably have a high level of trust in each other, there is less of a chance that another party decrypting the information. However, if either key (i.e. language dictionary) were to get stolen and fall into the wrong hands, the thief would be able to use it to decrypt the information. If the key is stolen on the business’s side, you would be held responsible.

On the other hand, Point-to-point encryption, or P2PE, is a subset of E2EE. When a card is used through a P2PE solution, the numbers are immediately encrypted at the first point of interaction. The new encrypted code is then sent to a secure vault to be decrypted back to the original numbers, then sent to the applicable bank to confirm.

Instead of allowing the business to hold an encryption key, it is a third party P2PE provider that holds the keys. This puts the responsibility to manage and protect credit card data on the provider the moment a card is used, which is more difficult to steal and takes the burden off the business’s shoulders, allowing you to take a more hands-off approach to security while knowing that you are in good hands. The customer is essentially giving your business a sealed envelope to send to a trained professional you trust to handle. Meanwhile, the business is able to focus on the product rather than guarding and managing secret codes.

The rub is that once you’ve decided on a provider, it isn’t easy to change as most providers only offer one P2PE solution. Because changing equipment to support a different provider can become expensive, you’ll want to weigh your options wisely and choose the solution that’s best for you.