Wednesday, July 27, 2011

Did your customer just make you non-compliant with PCI guidelines?

Did your customer just make you non-compliant with PCI guidelines?

The convenience and ease at which technology has connected us may open the door to inadvertently exposing your organization to violations and PCI audits.  If, for an example, a customer sends their credit card information to you in an email or other social medium format, which sends (or should send) red flag warnings.  You absolutely cannot process the transaction.

According to Walter Conway, “If you do, then your company’s email servers, cell phones, web browser caches, Twitter, and Facebook accounts are all subject to a PCI-DSS audit.”

Refusing the transaction is not good for business, but accepting it means that everything in the communications channel is now handling cardholder data and must be compliant.

Worse yet, because much of these communications are not encrypted, what happens if that card information is compromised?  You now have a post-breach situation which notification requirements and regulators looking for your Written Information Security Plan (WISP).  Fines are sure to follow, but what about the loss of that customer and others that now look at your company as liability.

Better to refuse the transaction and explain the gory details to the customer rather than risk the alternatives.  Dolvin Consulting works with Cyber Security Auditors and Administrators (CSA2) to help you prepare.  Contact us to discuss how we can help protect your reputation and bank balance.

No comments:

Post a Comment