Data security is a matter of concern only when financial transaction is taken into account. Financial data are more vulnerable to cyber attacks or data breach due to security non compliance in the Information System. Majority of transactions are routed through credit card, debit card and online payment mode which makes the system highly vulnerable and easily exposed to hackers. Companies from Payment card industry like VISA, MasterCard, American Express, Discover and other private labels created a security system for securing sensitive data and prevent credit card fraud.
Security compliance is validated by an external Qualified Security Assessor (QSA) for large volume transactions and by Self Assessment Questionnaire ( SAQ ) for small volume transactions. This security organizations ensure that a minimum level of security should be maintained by the merchants when they store, process and transmit cardholder data. There are 12 PCI compliant requirements as formulated y the Payment Card Industry Security Standard Council (PCI SSC). These are then segmented into four levels of PCI Compliance depending upon the volume of credit card transactions per annum. PCI Compliance Level 1 is best suited when Visa and/or MasterCard transactions are over 6 million per annum. PCI Compliance Level 2 when Visa and/or MasterCard transactions are between 1 million to 6 million per annum. PCI Compliance Level 3 when Visa and/or MasterCard transactions are between 20,000 to 1 million per annum. PCI Compliance Level 4 when Visa and/or MasterCard transactions are below 20,000 per annum and for other cards transactions below 1 million per annum. Level 1 companies are entitled to yearly review by internal auditor and network scan by approved scanning vendor by PCI DSS. Level 2,3 and 4 companies have to complete SAQ (Self Assessment Questionnaire) annually and network scan by approved scanning vendor.
Credit card transaction is more prevalent in B2C businesses like the hospitality, retail industries. The PCI Compliance process for hotels, American Hotel & Lodging Association have declared that hospitality industry contributes around 55% of the total Credit Card fraud complaints. 80% of the data breach cases have been identified at Level 4 merchants. Many hotels and resorts follow a legacy system due to the outdated software and Information technology infrastructure they installed and followed over years. Now these systems cannot encrypt cardholder’s data and make it secure and ,so, are not capable of complying to PCI Standards. Time has come where all the hotels, resorts and spas should be made compulsory to update the existing Information system inorder to comply with PCI Standards. Hotels, resorts and spas should make an audit with the help of their software vendors to find out their process to secure data is in compliance with PA DSS (Payment Application Data Security standard) or not. This certification will certify the merchant’s commitment to their client’s data security. Most fundamental criteria in understanding whether the system is complying or not can be checked if the system is automatically logging out on inactivity for 10 minutes. Card holder data should be covered up, so, that only 4 to 6 digits must be appearing wherever mentioned by the system. Data or card verification codes should be encrypted within the database. Data security process for PCI compliance must follow a complete process from top to bottom of the hierarchy in the company to make it successful. Better compliance means better service to card holders and reliability factor increases which will lead to more business.