What Associations Need to Know About PCI Compliance
A thriving association demonstrates its commitment to members everyday by providing valuable benefits, fostering a supportive community, and creating opportunities for professional and personal development.
One of the most meaningful ways associations show they care is also one of the most inconspicuous—keeping sensitive member information safe by maintaining PCI compliance. It may not be something associations boast about in recruiting campaigns or marketing materials, but ensuring the organization is abiding by PCI guidelines is just as important as hosting continuing education courses or offering career resources.
In this article, we’ll explore the basics of PCI compliance and share a few tips on how to improve data security and member privacy in your association.
What Is PCI Compliance?
In 2006, the Payment Card Industry (PCI)—comprised of Visa, MasterCard, Discover, and American Express—established the PCI Data Security Standard (PCI DSS). The PCI DSS is a set of best practices designed to ensure organizations that accept credit cards are doing everything they can to protect cardholder data from being compromised.
Any organization that processes, stores, or transmits credit card information is required to follow these standards and must confirm it meets these requirements by completing an annual self-assessment questionnaire. Completing the questionnaire involves answering a series of True/False questions regarding how you and your employees or volunteers handle member payment information.
Here are some examples of the statements you’ll find on the questionnaire:
- All paper and electronic files containing cardholder data (a.k.a. “media”) are physically secured.
- All media is destroyed when it is no longer needed for business or legal reasons.
- An incident response plan has been created and is ready for use in the event of a system breach.
By completing the PCI questionnaire, you can be confident your association has taken the necessary steps to protect your members and keep their data from being compromised or stolen.
Why Is PCI Compliance Important?
Unfortunately, cyberattacks are on the rise, with the annual number of data breaches more than doubling since 2013. Therefore, keeping member payment details secure must be a priority for any organization that accepts credit cards.
The process of obtaining PCI compliance is a great opportunity for you to improve overall data security in your association because it requires you to review how staff members or volunteers handle private member information. If you identify a potential risk, you can make appropriate adjustments to how the association manages sensitive information.
How Can I Improve Data Security in My Association?
Before you complete the PCI self-assessment questionnaire, you need to make sure your association is following best practices for data and information security. To help protect sensitive member information, here are 10 actions you should take:
- Physically secure any paper document containing cardholder data in a locked filing cabinet or safe.
- Ensure no document that contains cardholder information also includes the CID/CVV2 card security code.
- Restrict access to documents that contain cardholder information to only employees or volunteers with a specific business need.
- Do not allow employees to use the same account ID and password they use to access cardholder data to log in to any other software.
- Do not use the vendor-supplied default password for any software on any device with access to the network.
- Require employees to use passwords that follow security best practices, including a length of at least 7 characters and a combination of both numbers and letters.
- When an employee is terminated, immediately disable his or her access to any sensitive information and revoke his or her user permissions.
- Create and enforce comprehensive policies and procedures regarding employee computer use, physical security, and data security.
- Require every new employee to sign an official information security policy.
- Offer employees regular training on how to safely handle sensitive information and protect the privacy of customers.
There’s one last thing you can do to guarantee your association is 100 percent PCI compliant: partner with a third-party payment processor like AffiniPay for Associations. Our PCI Level 1 compliant technology ensures cardholder data stays safe and eliminates the risks associated with storing payment information at your office. Not only that, every AffiniPay for Associations user is automatically enrolled in our free PCI compliance program, which makes becoming, and staying, PCI compliant a breeze.