There is perhaps no greater source of acronym soup in the collections industry then when it comes to dealing with credit and debit card processing requirements. The letters forming together to make words that are unpronounceable, but as important as any other aspect of operating a successful collections agency.
Navigating the alphabet soup of requirements is a difficult task for even a seasoned industry veteran. BillingTree, a payments provider, hosted a webinar yesterday that aimed to help companies, including collection agencies, with understanding the fundamentals of complying with information and data security standards required for any organization that seeks to process card-based transactions.
BillingTree called on Michael Vitolo, the managing partner of MegaplanIT, an Arizona-based risk assessment and consulting firm, to help walk individuals through the alphabet. Click here to access a free recording of the webinar.
The Payment Card Industry (PCI) has developed Data Security Standards (DSS) that are required to be followed by all entities involved in the transaction, from the card brands — Visa, MasterCard, and more — to the merchants and service providers. The level of compliance is dependent on the volume or dollar amount of transactions that are processed by the merchant or service provider, Virtolo said.
For most companies, a self-assessment questionnaire (SAQ) is going to be the official document of record when it comes to asserting that the company is compliant with the PCI DSS. The questionnaire is lengthy, but Virtolo broke it down into 12 requirements:
- Install and maintain firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open public networks
- Use and regularly update antivirus software or programs
- Develop and maintain secure system and applications
- Restrict access to data by business need-to-know
- Assign unique IDS to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for employees & contractors
“We inform our clients that they are are 100% liable for how they answer SAQ and they are going to be held liable if they answered questions incorrectly or if there is a breach,” Vitolo said during the webinar. “Any organization that stores, processes, or transmits card data has to fill out SAQ.”
The risks of being non-compliant go way beyond just not being able to accept credit card payments, Vitolo said. The other risks include fines, compliance audits, disruption to operations, and denial of service.
Becoming compliant with PCI DSS so that an organization can accept card transactions can be daunting, Vitolo admitted. But one piece of advice he had for companies was to segment their operations and then determine the scope of what is needed. This processes allows a company to determine what parts of their operation need to be included in a SAQ or compliance audit and then leave out everything that does not need to be included.
“Segmentation helps reduce cost and risk,” Vitolo said. “It’s about knowing your technology. What assets do you have — workstations, network devices, etc. You can segment out everything that is not in the scope of what you are doing.”