Visa, MasterCard, Discover Card, American Express and JCB International support the Payment Card Industry (PCI) Data Security Standard (DSS). This global standard, now 11 years old, is designed to guide all organizations that accept credit cards to secure their operations and, therefore, minimize the chances for fraud. The standard defines controls (both process and technology controls) for handling cardholder data that minimize the risks for all involved.
Like other merchants, dealerships are responsible for achieving PCI compliance when they accept credit cards. Specifically, the PCI standards state that if you accept cards for payment, or process, store, or transmit credit card information, you must meet the PCI Data Security Standards. Even if you only accept one card annually and simply use an imprint device, your dealership must comply.
High-profile credit card data breaches, such as those see at Target, Home Depot, and UPS, are shedding a lot of light on how companies and customers alike can be negatively affected by hackers and their tech skills. And while dealerships may believe they're too small to garner any attention from hackers, think again. PCI itself reports that small and mid-size businesses are actually at greater risk of being breached than large businesses
Ignoring PCI Standards Can Result in Significant Fines
Merchants who ignored the standards and experienced a breach have reported that the fines they incurred may have been more severe than for those merchants who either complied or took steps to comply and then experienced a breach. The Ponemon Institute estimated that the average credit card data breach costs approximately $3.5 million—about 15% more than it cost in 2013. Data breach fines can range from $5,000 to $500,000 per month of non-compliance.
Burden of a Breach Transitioning to the Merchant
Recent changes to the PCI DSS warrant your immediate attention, particularly as merchants are increasingly being held accountable for stolen credit card information by the card issuers. As of October 2015, merchants should seriously consider replacing older magnetic credit card readers with the new EMV (chip and pin) card readers. Merchants who don’t and later experience a data breach may find that their business may own the financial responsibility for the breach.
Specifically, if you accept credit cards for payment, you are responsible for the following:
- Reviewing and understanding the PCI Data Security Standards
- Understanding the reporting requirements that apply to your business
- Reporting compliance to your payment processor annually
Most dealerships fit into the small-to-medium business classification with respect to credit card processing and will be defined as level 3 or 4 merchants. The good news is that these merchants, while still expected to comply with the full PCI DSS, may have simpler reporting requirements in the form of self-assessments, particularly if the scope of the cardholder data environment is small.
People and Process as Important as Technology
In addition to the technological aspects of credit card use, there are people and process controls required for compliance with the PCI DSS. These controls include conducting background checks on associates handling consumer credit cards and providing periodic training to those associates. Dealers are also responsible for protecting card readers and inspecting them to ensure they have not been tampered with.
PCI compliance is not a law, but an industry standard with contractual obligations. Some states, however, have codified some or all of the PCI DSS into law, and you need to know if these regulations affect you. PCI compliance is your responsibility; CDK cannot deliver it for you. Compliance is not a one-time event, but something you must maintain, such as maintaining an automobile.
If you accept credit cards for payment, CDK recommends that you engage your legal counsel and/or a PCI Qualified Security Assessor (QSA) consultant to define a PCI DSS compliance plan that suits your dealership.
How CDK Can Help
CDK has worked with PCI-compliant payment processors and many clients, helping to bring DMS-integrated thirdparty solutions to market that may minimize risk and reduce the cost of securing these operations. These solutions help prevent credit card information from being processed, stored, or transmitted on your DMS.
The solutions help by:
- Removing much of the card processing from the dealer’s network
- Encrypting card data in the device where it is swiped or entered
- Using the latest validated tamper-proof card readers
These criteria have the potential of significantly reducing your PCI scope.
CDK’s analysis of the PCI DSS leads us to the understanding that delivering PCI DSS-compliant solutions on a DMS network can be very complex and costly. Many systems on a dealer’s network are not owned by the dealer; thus, the dealer has little leverage to remediate these systems. Therefore, CDK has a policy in place to not build and sell credit card point-of-sale products, but to work with expert payment processing partners who know the business and keep their card processing systems compliant.