If Your Company is not Fully Compliant with Payment Card Industry Security Standards (PCI SS), You Could be at Risk of a Serious Tangle with Attorneys.
Avoid These Mistakes to Keep Your Company Safe:
1. Storing Cardholder Data in Noncompliant Programs
Many states have laws regarding data breaches and, depending on where you accept cards, you may be subject to many of them. Massachusetts has 201 CMR 17.00, which requires companies keeping any personal data from its residents to prepare a PCI-compliant plan to protect that data. If a company fails to maintain that plan, the business may face state prosecution.
2. Fibbing on the Self-Assessment Questionnaire
If you have considered tampering with the reports from your company’s Approved Scanning Vendor, think again. Time invested now in fixing any holes in your data security system could save you big-time from the penalties your company could suffer if there’s ever a data breach. The same thing applies to just “fudging the truth” on self-prepared compliance reports. Even if you think it’s a simple stretch of the truth, don’t do it.
3. Not Using the Right Qualified Security Assessor
Many companies use Qualified Security Assessors to help them maintain their PCI compliance. Every QSA does not necessarily know as much as another, however. It’s important to select someone who both understands your business and stays up-to-date on the latest version of PCI Security Standards.
4. Trying to Resolve Data Compromises Under the Radar
You may be tempted to fix a customer’s complaint yourself if they inform you of a data compromise. Not advising credit card companies of data breaches, however small, can lead to you no longer having access to their services. Those credit card companies can then file suit against your company, costing you big bucks in the end.
5. Not Checking ID for Point-of-Sale Credit Card Use
Sometimes it seems like no one checks IDs against credit card users, so merchants tend to be lax about doing so. Running just one unauthorized credit card could cost you a lot in the long run. Even if the state in which you do business does not have specific laws regarding PCI compliance, a civil suit may come against your company for any data breaches. The court will not favor you if you haven’t been PCI-compliant. All in all, it pays to pay attention to PCI compliance – a little time vested today could save you significant time tomorrow.