Post authored by De-de Mulligan, President and Chief Content Strategist, Mulligan Management Group
Payment Card Industry Data Security Standard (PCI DSS) is a global credit card processing standard that is designed for one purpose only – to ensure your guests’ payment data stays secure through the entire payment cycle.
Formulated by the PCI Security Standards Council, the PCI DSS applies to any organizations—or events—that store, process or transmit cardholder data.
Even if you run a small association with minimal credit card transactions, your organization may still be obligated to comply with the standards.
PCI DSS Levels
According to PCISecurityStandards.org, service providers are segmented into one or two levels based on the number of credit card transactions that occur in twelve months.
- Level 1: over 300,000
- Level 2: under 300,000
Level 2 providers fill out a self-assessment questionnaire about their protection methods.
The PCI Security Standards Council is a global forum that brings together payments industry stakeholders to develop and drive adoption of data security standards and resources for safe payments worldwide.
Level 1 Providers Require More
Level 1 companies must complete an external assessment by an approved Qualified Security Assessor (QSA).
QSA companies are independent security organizations that have been qualified by the PCI Security Standards Council to validate an entity’s adherence to PCI DSS.
In addition to an in-person security audit, Level 1 companies must also be scanned monthly for vulnerabilities and have an internal and external penetration test performed against their networks, according to Security Metrics.
At the end of the audit, the Assessor produces a Report on Compliance (RoC).
Level 1 is the highest level of credit card oversight. The security standard encompasses hundreds of requirements organized into 12 main areas, including but not limited to, firewalls, encryption, passwords, anti-virus, patching, access, and much more.
Finally, each Level 1 company is provided an Attestation of Compliance.
What it Could Mean for Your Event
Inherently, if a hacker takes your attendees’ credit card information, it may lead to unwanted charges, identity theft, or sale of their data on the dark web.
How would a data breach of all an association’s members’ credit cards and contact information fair for that association or their annual event?
It could be potentially devastating.
According to PCI, noncompliance may result in:
- Loss of customers and sales
- Fines, penalties and legal costs
- Termination of your ability to accept credit cards
The Measures that Experient is Taking to Protect Your Data
Whether meeting participants are registering for a conference months ahead of time or are walk-in attendees onsite at the event, Experient offers seamless and secure bookings and payment options, said Brian Scott, Chief Information Officer at Experient.
Experient’s programmers have custom coded a double encryption protection into every transaction that occurs from our onsite environments.
Our entire IT department is continually evaluating and implementing better cybersecurity measures for our organization.
We’ve also expanded our cybersecurity team to include experts with experience from the DOD and other government high-security environments.
“Data breaches are serious business,” Scott said. “We work hard to protect our clients’ information every step of the way through better security hardening, processes, and systems. We also have had a steller PCI audit for over the last ten years.”
Editor’s Note: Experient is not a professional security and privacy consultancy firm; therefore, we recommend and encourage all customers to seek their expert advice for PCI DSS compliance concerns.
De-de Mulligan is the President and Chief Content Strategist for Mulligan Management Group.
As a former meeting planner who has received Ohio MPI’s Planner of the Year award twice (2006 & 2012), she brings a unique perspective to these blog posts.
You can find her on Twitter @DedeMulligan.