PCI Compliance and Your Club Management Software

May 14, 2014

Fraud and identity theft are on the rise. The Federal Trade Commission received more than 1.1 million complaints of fraud and identity theft in 2013, totaling more than $1.6 billion in stolen assets. The vast majority of these cases stem from data breaches associated with credit cards.

The credit card industry, led by Visa and MasterCard, developed the PCI Security Standards Council (2005) to set security standards that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures. This standard, Payment Card Industry (PCI) Data Security Standard (DSS), was launched in 2005 and recently revised, November 2013, to meet the needs of securing the credit card industries changing environment. This standard provides a comprehensive set of requirements for enhancing payment-account data security.

Today, companies affected by the PCI standard are required to conduct a variety of validation activities, including quarterly vulnerability scans, a self-assessment questionnaire, or an onsite review by an independent third party qualified security assessor, depending on the number and types of transactions conducted by the companies. Addressing PCI compliance is not just a matter of avoiding noncompliance fines, it is about good business: reducing risk, enabling delivery of services over an increasing range of customer channels, and maintaining the trust of customers and business partners.

Benefits of PCI compliance
While some may complain at the requirements for PCI compliance, organizations that have implemented the guidelines have realized the benefits compliance can provide. In addition to creating a trustworthy reputation, customers will be more confident in doing business with these companies.

PCI standards help lower the risk of a group becoming a victim of a data breach. These instances can be embarrassing and costly for an establishment, as each incident can result in fines as high as $500,000 per month. The first step in becoming a PCI compliant organization is for administrators to investigate the requirements in place for their business. Standards can vary depending on what payment card content is dealt with, so it is in executive decision makers’ best interest to do their homework.

The Payment Card Industry Council requires implementing encryption of cardholder data in transmission. This can be achieve using an SSL certificate, which provides the optimum level of website security. In this way, transactions completed over online portals have the best-in-class protection against threats.

The PCI standard accounts for different transaction volumes, payment channels, and level of exposure across companies. The PCI standard lays out 12 specific security areas of responsibility with which companies must comply. These areas are:

  • Install and maintain a firewall configuration to protect cardholder data
  • Do not use vendor-supplied defaults for passwords and other security parameters
  • Protect stored cardholder data
  • Encrypt transmission of cardholder data across open, public networks
  • Protect all systems against malware and regularly update anti-virus software or programs.
  • Develop and maintain secure systems and applications
  • Restrict access to cardholder data by business need-to-know
  • Identify and authenticate access to system components.
  • Restrict physical access to cardholder data
  • Track and monitor all access to network resources and cardholder data
  • Regularly test security systems and processes
  • Maintain a policy that addresses information security

To most IT/security professionals, many of these regulations seem like straightforward commonsense. However, many organizations have trouble complying. Most data breaches occur when a merchant or service provider stores sensitive information on a card’s magnetic stripe in violation of the PCI standard. This makes compliance critically important to your enterprise.

While PCI DSS certainly is comprehensive, the list of 12 areas of responsibilities leaves 12 possible points of failure. Fail one requirement and you fail them all. This “all-or-nothing” approach is both a curse and a blessing. The benefit: enforcing compliance with each of the 12 areas of responsibilities ensures the most secure possible transmission of data. The pitfall: especially for smaller companies, total compliance with the standard can take time and resources to achieve.

The way the standard works now, a merchant or service provider that satisfies 99 percent of the requirements would still receive a failing grade. With this in mind, many experts predict a significant number of organizations may in fact never comply.

In order to prove compliance, payment card organizations require the use of qualified data security companies (QDSCs) to perform an onsite audit review. MasterCard and Visa have established a certification program for vendors to become QDSCs, as well as a program authorizing companies to provide qualified scanning services. These two credit card giants also offer certification programs that train qualified data security practitioners (QDSPs) who perform testing and other security work.

These organizations often offer additional value-added services such as best-practice security assessments, compliance-readiness reviews, system deployment and training, systems integration, and other security and network-related services. In many cases, businesses also can help themselves by purchasing sophisticated security equipment, configuring it to minimize risk, and implementing a host of policies and procedures that comply with the latest data security standards.

ABC Financial

ABC Financial leads the health and fitness industry in software and payment processing solutions. We have one goal: to maximize our clients’ revenue. Our industry knowledge and innovation reflect our 33 years of experience. Today we are the choice of over 4,800 North American health clubs.

Our DataTrak health club management software reflects our dedication to cutting-edge technology in its speed, comprehensiveness, innovation, and security. We’re constantly enhancing our software as a part of our commitment to unparalleled service and to our clients’ bottom line.

If you want your business to thrive with the most advanced club management software, comprehensive payment processing, customer service second-to-none, and customized marketing solutions, choose ABC Financial.