I’ve identified a significant reason why business to business merchants using ERP’s will fail a PCI Compliance stress test. Whether you’re a consultant engaged to implement or extend an ERP, or you’re responsible for your company’s PCI Compliance, chances are even a non-hacker like me can find vulnerabilities in your security. Why? The PCI Payment Card Industry (PCI) Data Security Standards are the foundation of any security plan, but ‘real world’ and ‘written policies’ are not always aligned, leaving businesses wide open to a potential data breach.
Regardless of security efforts, it’s impossible to overcome product limitations or inefficiencies that result in employees using alternative ‘non-pci compliant’ procedures for accounts receivable. Ah, but you say someone should have known and planned better. That may be true, but there is also sometimes a disconnect between internal policies, software selection, and perceived practical necessities to conduct business efficiently. Case in point, I’ve called on many companies that forbid storing card data anywhere (per CTO and or CFO policy), however, departments have a number of practical processes that violate the policy, ‘in order to comply with other departmental requirements’. If all parties fully understood the requirements for security and business needs, there’s always a PCI Compliant solution.
What are 3 top ERP related PCI failures?
- Need for written approval to store card data and use for variable recurring billing. This is frequently on a credit card authorization form the merchant desires to keep on file.
- Business does not use the merchant services portion of the accounts receivable module due to ERP specific processor partner requirement (price, banking relationship interference or other reason given not to implement)
- Personnel collecting credit cards do not have access to the system to store credit card data (problem with user access, financial control, or personnel restriction limitations; inefficient to use in sales process)
Surprised? It’s not the ERP specifically that is cited as cause for failure, it’s procedures and flexibilities not being met that cause employees to bypass established security procedures.
How can merchants prevent employees from violating PCI Compliance guidelines?
- Follow the money. Identify all personnel involved in the sales, billing and collections process. Interview staff starting with salesmen and through to how payment data is collected, invoicing, payment processing, and collections for delinquent accounts. Always ask questions about processes that you know are not allowed or that need to be fixed.
- Implement appropriate agnostic cloud payment technology for all facets of billing and collections.
How long do you think it will take for an outsider like me to prove your business is NOT PCI compliant?
- 5 minutes
- 4 hours
- 1 week
Take the FREE test and call 954-942-0483.