With cyber-attacks on the rise, it’s never been more important to protect consumers’ valuable information. PCI Compliance — standards set by major credit card companies — ensures that private cardholder data is kept secure from hackers. In response to the increasing sophistication of cyber attacks, PCI standards are complex and ever-changing.
Regardless of your role in the sports and fitness industry — from managing membership software at your fitness facility, to payment processing for your online store — you need to stay PCI compliant and protect consumers’ data with each transaction. Let’s take a closer look at what you need to do to stay protected.
What is PCI Compliance?
PCI Compliance simply refers to security standards that all companies need to follow if they “accept, store, process, or transmit” credit card information at any point. It’s in place to protect both your company and your consumers from cyber attacks.
These standards are set by the PCI Security Standards Council, a global forum whose ultimate aim is to keep sensitive data safe. They were founded in 2006 by major credit companies: American Express, Discover, JCB International, MasterCard and Visa, Inc.
Why Do We Need To Be PCI Compliant?
Data Breaches are Costly
The Ponemon Institute Research Report demonstrated that average cost of a data breach per company in 2017 was $3.62 million (with the United States having the most expensive data breaches of all). Since then, that number has only increased: an IBM study from 2018 reported that the average cost is $3.86 million, a 6.4% increase from 2017.
Data Breaches Erode Consumer Trust
Aside from the million-dollar price ticket for companies, data breaches erode trust between the company and the consumer. In fact, 19% of consumers in a KPMG survey reported that they would stop shopping at a company if it suffered a cyber attack, while 33% said that they would avoid a compromised company for three months.
Data Breaches Hit the Sports + Fitness Industry
Hackers don’t only target huge businesses and major financial institutions. If you’re in the fitness or sports industry, you need to stay compliant — because every business is at risk. Adidas, for example, succumbed to a cyber-security attack in June, 2018. And Challenger Teamwear, a sports apparel company, suffered a cyber attack in September of this year.
How do You Become PCI Compliant?
First, you need to recognize your compliance is necessary. If you are at any time, regardless of volume, accepting credit card transactions — from point of sale devices, web applications, mobile devices, servers, or even paper storage. If you are, you need to ensure PCI Compliance. Although there are many specifics and complexities in the ruling that governs compliance, we’re going to take a look at the PCI DSS v3.2.1, the newest iteration of the PCI Standards that must be fully enacted by January 2019.
1 – Ensure a Secure Network and Systems
First, you need to make sure you have a firewall in place to protect cardholder data. Firewalls are put in place to block criminals from accessing secure networks. Then you need to make sure that you change your default passwords. For example, if your new fitness software started you off with a log-in and password, go ahead and change it to make it more unique and secure.
2 – Protect Cardholder Data
To be PCI-compliant, you need systems in place within your fitness software or sports software to protect cardholder data. Make sure that you’re never storing sensitive information like the data from the magnetic strip of a card or chip. If you do store data like PAN (Primary Account Number) data, you need to ensure that it’s masked and unreadable with security solutions like cryptography.
3 – Encrypt Data Transmission
If you’re transmitting data over open, public networks, the data more vulnerable to cyber criminals. Therefore, if your customers are using the internet to purchase sports equipment or memberships, ensure that all information is encrypted.
4 – Maintain a Program for Catching Vulnerabilities
Stay on top of security weaknesses or vulnerabilities in your membership software and watch for any lapses in security when it comes to payment processing. Install strong anti-virus software and set up a system of constant maintenance so that you’re never caught unaware by cyber attacks.
5 – Enforce Strong Access Control Measures
According to PCI Security Standards, all access to sensitive information should be set to “deny all,” so that only people on a need-to-know basis can access cardholder data. So unless it’s an integral aspect of someone’s job to access certain sensitive data, no one should not be allowed access.
Make sure that everyone who does access data has a unique identification (ID) to do so, so that their activity can be tracked. Make sure that the physical access to sensitive records is restricted and protected as well.
6 – Regularly Monitor and Test Networks
You need to maintain rigorous standards in monitoring and testing all the networks through which you transmit cardholder data. Track and log everything. Test your security systems frequently to ensure they are functional.
7 – Work with PCI Compliant Processors
An easy way to ensure PCI Compliance is to ensure that the payment processor your business uses meets all PCI Security Standards. For example, UP Payments has state of the art encryption and compliance system in place which offers tokenization to secure credit card data and restrict fraudulent usage. UP Payments’ Risk Solutions Program ensures your business stays up to date, secure, and PCI compliant.
How do You Become PCI Compliant?
Obviously, we’ve simplified the above steps significantly. However, it’s pretty clear that PCI Compliance requires rigorous standards for security, the newest levels of encryption, sensitive treatment of data, and thorough documentation. Here are the steps you need to take to make it all official:
- Scope – First, you need to figure out which of your networks and system components fall under the scope of PCI compliance (basically, any aspect of your software that uses, stores, or transmits cardholder data).
- Assess – Following PCI’s standards for testing, make sure that each of your components complies with PCI security measures.
- Report – You need to have your security measures documented, using things like the PCI Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC).
- Attest – Complete the Attestation of Compliance (AOC).
- Submit – You need to submit supporting documentation like the SAQ, ROC, AOC.
- Remediate – If you don’t have everything covered, you need to be prepared to remediate, or fix, anything that’s wrong.
Stay Up to Date on the Latest Changes
You might be aware that changes to the PCI Data Security Standard (PCI DSS) took place earlier this year. So by June 30, 2018, you should have adopted the requirements of PCI DSS 3.2. One of the key elements of this transition was the requirement to migrate your security systems from SSL/Early TSL to a more secure encryption protocol like TLS 1.1 or higher. This is because SSL (Secure Sockets Layer) and TSL (Transport Layer Security) have become vulnerable to cyber attacks, and need to be updated.
However, some small updates were made to create the DSS 3.2.1, with relevant companies (i.e. anyone who interacts with cardholder data) expected to fully transition from DSS 3.2 to DSS 3.2.1 by January 1, 2019. Some of these changes in the following areas:
- Detailed Documentation on cryptography.
- Multi Factor Authentication.
- More strict standards on responding to security failures.
Get Compliant Today
Maintaining PCI compliance protects your consumers from cyber attacks and protects you from incurring the massive financial losses associated with those attacks. You compliance also protects you from paying the fees and fines (which can be as much as $5,000-10,000) for non-compliance.
Ensuring that your business stays PCI compliant is definitely achievable, and is made easy by partnering with companies and software solutions for your fitness software or facility maintenance that have an in-depth knowledge of PCI Compliance, like UP Payments. A leader in innovation in the payments solutions industry, companies like UP Payments who know how to apply their in-depth knowledge to the sports and fitness industry can ensure PCI Compliance for your business.