The Importance of Being PCI Compliant For Consumer Service Companies
The number one issue facing the casino industry and most consumer-service industries right now is without a doubt PCI certification. The Payment Card Industry is a data security standard designed to secure all companies that accept, store, and transmit credit cards. Thanks to the rapidly-advancing digital age, we are now able to collect more information than ever before through a simple swipe of a credit card. However, along with the advantage of being able to collect and use this information to grow our business comes the tremendous responsibility of securing this sensitive data from relentless and highly-skilled hackers.
By now, most of us have experienced at least one data breach scenario as customers of major corporations. We’ve received those dreaded emails and or printed letters from longstanding retailers, restaurants, even non-profits, and health care service providers we’ve trusted letting us know information we willingly submitted to them has been compromised. It’s an uneasy feeling for the company to make that type of public announcement, and equally disconcerting as well for the customer.
Affinity Gaming, unfortunately, has not been immune to these data breaches. Shortly before I took over my current role as CIO and VP—IT, the company experienced not one, but two data breaches. In May 2014, Affinity found evidence of a hack on the casino debit and credit card system for non-gaming purchases, which impacted customers who paid for items such as hotel rooms, food and drinks and services. Prior to this in December 2013, Affinity also discovered that its Oracle Micros Point of Sale System had been infected with malware—compromising consumer credit card information. After these two back-to-back incidents, we realized we could no longer afford to not invest in the proper technology to protect our business and our most important assets—our customers!
The number one reason why many companies aren’t compliant is due to cost and amount of labor to become compliant
My first order of business coming on board with Affinity was to fix this security problem, and to make Affinity PCI-compliant. For any business that accepts credit cards as their main transaction source, the top priority has to be securing the data environment. How do you go from a data breach to being PCI-compliant? At Affinity, we invest the financial, executive, and staffing resources needed to meet these standards knowing how crucial it is for our overall business.
We work with top vendors to make sure our systems not only meet industry standards, but exceed them. We partner with leading industry commerce platform resource Freedom Pay to implement their PCI Validated Point to Point Encryption (P2PE) solution. With Freedom Pay, we are able to implement a system that encrypts data received at point of purchase from the minute a client’s credit card is swiped until it goes to our clearing house (Elavon). This process ensures that we never see the customer’s credit card number. This also means that we no longer have to store our customer’s sensitive credit card information.
However, unlike Affinity, many companies within the industry are still not compliant. With such a great risk looming, it can seem perplexing to the outside world as to why these companies are not making the necessary changes, but there are very real and complex issues to consider:
Becoming PCI–Compliant Is Expensive
The number one reason why many companies aren’t compliant is due to cost and amount of labor to become compliant. Depending on the number of breaches at the company, there will be fines from Visa, MasterCard and Amex. These fines can range from reoccurring monthly fees (until you can prove PCI compliancy) to all costs of rectifying the breach (on the part of the credit card company) including reissuing credit cards. Most companies, following a data breach, will also hire an outside PR firm and external consult to advise them what to do. The cost of adding and upgrading software (to secure the environment), and the overall expense can be more than many companies are willing or able to afford.
Changing Company Culture Is a Complex Process
Creating a strong PCI—complaint culture is very nuanced and complex. Asking employees to do business differently requires support from every level in your organization. At Affinity, we partnered with our CFO, Walter Bogumil, to use a top-down approach. Through his support, we are able to work closely with our executive team to create the culture changes that are needed. Proper education of our employees is also very important. Anyone who handles a credit card at Affinity is educated on required company procedures.
PCI-Compliancy Is Time Consuming
Becoming PCI-compliant is a very long, complicated process. It’s crucial to speak to all employees at every level to learn the business inside out so that you can identify where your vulnerabilities are, and how to solve those issues. This process alone requires a lot of resources. Knowing where your current PCI-compliancy stands is also important in addressing where to start the process. At Affinity, we use a “PCI Prioritize” approach (a playbook from the Payment Card Industry) to become compliant. We’ve also reduced our PCI scope, which is something we recommend to all companies.
Despite the very real and costly challenges of becoming PCI-compliant, the risks and casualties of not protecting your business and customers are becoming greater. However, investing in the necessary software, infrastructure and employee training and education is an investment in the future growth of your business, and a process we would highly recommend for every company within the consumer service industry.