For beauty business news, beauty store owners turn to Beauty Store Business. Beauty business trends, beauty business profiles and more!
Issue link: http://beautystorebusiness.epubxp.com/i/308289
48 June 2014 | beautystorebusiness.com COSTLY FINES So who makes the rules when it comes to protecting customer data? The big boss here is the Payment Card Industry Security Standards Council (pcisecuritystandards. org) in Wakefield, Massachusetts. This assemblage of credit card associations has been steadily tightening the reins on runaway data by releasing regula- tions in the form of official standards. The latest iteration—dubbed PCI Data Security Standard, or PCI DSS—further strengthens the procedures that must be instituted by merchants by the end of 2014. (For details, see page 50, "Get More Help.") If you fail to follow the PCI compliance rules, you may be targeted for damages by your acquirer—the bank that provided your merchant account. Read your contract closely and you'll find that the bank has the power of the purse. "If the acquirer finds that you have been consistently noncompliant, fines can be assessed," says Burnette. "And an actual breach of data can lead to even higher penalties." The extent of monetary damages depends on the size of the merchant, the size of the breach and the number of cards involved. Penalties have ranged from $10,000 into the six figures and more. Not to be underestimated, either, is the costly hit a publicized breach can have on a merchant's reputation. Many consumers will be reluctant to shop at an establishment where a breach has occurred. But perhaps the greatest moti- vation for towing the line is the threat of losing the merchant account itself. "The card association may take away your ability to accept credit cards at all," says Burnette. "That can be extremely costly to any merchant." PROTECT YOURSELF While failure to follow mandated data- protection guidelines is foolish, the good news is that you can take positive steps to minimize risk. Start by drawing up a statement of standard operating proce- dures for everyone in your organization. "Make sure you have a clear written policy about how to handle credit cards," explains Burnette. "And make sure your employees have been educated on the policy. Bring up the topic regularly in your staff meetings." Your operating pro- cedures must address the critical need to keep sensitive customer numbers under wraps. "Where the merchant is most vulnerable is in the acciden- tal mishandling of card information," warns Burnette. "Suppose, for example, an employee takes an order over the phone, jots down the card number on a piece of paper and then later drops the paper into the trash instead of a shredder. That violates the PCI and is bad business practice." Another good rule is to keep the credit card in the hands of the customer as long as possible. "Employees should quickly process the card and return it," says Burnette. "This will keep the card from being accidentally grabbed—or from having its number written down—by someone else." The right hardware can be as important as the right procedures. Have you been using the same POS equip- ment for many years? It may be time to replace it. "Some retailers still have legacy equipment that they don't even realize is capturing cardholder informa- tion that can be compromised," says Paul Rianda (riandalaw.com), an attorney in Irvine, California. "In contrast, if merchants use newer equipment and use it cor- rectly, there should be no way to lose cardholder information." Computer systems face special chal- lenges. "You need to establish rules about passwords and about access to the computer system," says Burnette. "Each employee should have a unique security code that he is forbidden to share with other employees or even with managers. The passwords should allow access only to those sections of the database required to do an individual's job," Burnette adds. You should use only hardware and software that has been approved by the PCI Security Standards Council. Approved vendor lists are available at pcisecuritystandards.org. Make sure you are using a firewall, and that your wireless router is password protected and uses encryption. Don't forget to change the default hardware passwords to complex ones. THIRD PARTY As the world of electronic commerce has become more complicated, regulations P r o t e c t i n g C u s t o m e r D a t a . i n d d 4 8 Protecting Customer Data.indd 48 5 / 2 / 1 4 1 1 : 0 7 A M 5/2/14 11:07 AM