For beauty business news, beauty store owners turn to Beauty Store Business. Beauty business trends, beauty business profiles and more!
Issue link: http://beautystorebusiness.epubxp.com/i/308289
50 June 2014 | beautystorebusiness.com become more demanding. "There are more than 255 individual requirements for PCI compliance," says Burnette. "All of them have to be met. There is no wiggle room." Little wonder that mer- chants are sidestepping the requisite procedures by farming everything out to third-party organizations. "Offloading responsibility to a third party is a good solution," says Don Hartley, a consultant with Tata Consultancy Services (tcs.com) in Savannah, Georgia. Don't get trapped, though, by a false sense of security. You can outsource the operational duties for carrying out PCI compliance, but you cannot out- source your responsibility for protecting customer information. If something goes wrong, you will be assumed guilty. To protect yourself from fines and penalties, make sure your contract specifies the third party's responsibilities for setting up and maintaining computer systems that comply with PCI standards. You should also ask the third party to provide an annual "PCI Report on Compliance" signed off by a qualified security assessor. This should be done once a year. Both these steps will help protect you if the third party violates regulations. NEED TO KNOW Many of the protective steps suggested in this article come from a broader maxim near and dear to the hearts of secu- rity people everywhere: Retain only the information you need. "Follow the rule that says 'If you do not need customer information, you should not keep it,'" advises Burnette. Education is the first step to safety. Many smaller merchants are neither aware of the duty to protect customer data nor of the continually mor- phing rules. Ignorance of the law, as always, is no excuse. Taking the basic steps in this article will reduce your risk considerably. Says Burnette: "Make sure you have a written policy in place, train your employees properly, and make sure your computer system is PCI compliant." ■ Phillip M. Perry is a New York City- based freelance writer. Get More Help Retailers who fail to protect their customers' credit card data are playing with fire. "If you make a mistake you may incur penalties of hundreds of thousands of dollars—or even millions—depending on how many cards were compromised," says Paul Rianda (riandalaw.com), an attorney in Irvine, California. He points to the experiences of two recent clients: A card association pulled $600,000 out of the account of one merchant who was hacked. A second merchant—a sports-apparel retailer—was fined $13 million. The adjacent article presents some common operational guidelines to protect yourself from loss. Additionally, seek the guidance of your attorney, your bank and your security adviser. You can find more information about PCI (Payment Card Industry) compliance from the website of the PCI Security Standards Council at pcisecuritystandards.org. Click on the "For Merchants" button and read the helpful articles. Click on the "PCI Standards & Documents" button and the "Documents Library" to access the latest iteration of the PCI Data Security Standard, PCI DSS v3.0. P r o t e c t i n g C u s t o m e r D a t a . i n d d 5 0 Protecting Customer Data.indd 50 5 / 2 / 1 4 2 : 4 4 P M 5/2/14 2:44 PM