We often get calls from customers asking “Am I PCI compliant?” The only answer RMS or any technology provider can truly provide is, “ We don’t know”. PCI Compliance encompasses more than the solutions we provide. Of course, our POS products meet the requirements of The Payment Application Data Security Standard (PA-DSS) which is the global security standard created by the Payment Card Industry Security Standards Council (PCI SSC), but there are many more requirements to PCI compliance that only you can control.
Do you have a documented security policy and do your employees get refresher training on that policy annually? These two questions are part of the self assessment questionnaire (SAQ) you are required by your credit card processor to complete quarterly.
Do you require that each employee utilize a unique username and password for access to the POS or do you allow everyone to share a login? This is not only the best practice for ensuring accountability around any actions that occur in the system, but it is also one of the requirements for PCI compliance.
And now for the scary one.....
Do you store credit card information in an unprotected manner for the purpose of keeping a customer’s “card on file”? In an effort to provide better service, you may have chosen to document a customer’s credit card number and expiration date somewhere so that information can be used to tender future transactions. Often, this “somewhere” is a document on a computer, an open field in your pharmacy or POS system, or even on an index card in a box sitting on the counter.
If you answered yes to the last question, you may not be aware that RMS has an option that will allow you to eliminate this practice and remove the security risk it presents. A cloud service called Payware Connect* by Verifone integrates tightly into the RMS system to support a process referred to as tokenization. Payware Connect allows you to request an ID number (token) that represents the customer’s credit card. This token is then associated with the customer record in the POS system, allowing for transactions to be tendered to that token (credit card) without the card being present. The benefit of using a service such as Payware Connect is that the credit card number is never present on your network and is only referenced by the token number that is saved in the RMS system. This token is unique to your merchant account, meaning that, even if stolen, it cannot be used anywhere else.
Unfortunately, the road to PCI compliance is not easy nor is it a one time journey. It is often confusing, costly and can take up time that is already in short supply. The questions above represent the most common areas where we have seen businesses fail to meet the requirements, but they are also the easiest to correct. Take the time today to look at your processes and make those corrections. Only you can make your business PCI compliant.
Let me hear from you - have you had issues with credit card risk and how have you dealt with it?
* Payware Connect is a subscription service offered by Verifone with the price per month varying based on your credit card processing volume. For more information about tokenization and Payware Connect pricing, please contact RMS at 360-438-8276