4 Min ReadJune 19, 2015

Credit Card Data Security and Your Dealership

Visa, MasterCard, Discover Card, American Express and JCB International support the Payment Card Industry (PCI) Data Security Standard (DSS). This global standard, now 11 years old, is designed to guide all organizations that accept credit cards to secure their operations and, therefore, minimize the chances for fraud. The standard defines controls (both process and technology controls) for handling cardholder data that minimize the risks for all involved.

Like other merchants, dealerships are responsible for achieving PCI compliance when they accept credit cards. Specifically, the PCI standards state that if you accept cards for payment, or process, store, or transmit credit card information, you must meet the PCI Data Security Standards. Even if you only accept one card annually and simply use an imprint device, your dealership must comply.

High-profile credit card data breaches, such as those see at Target, Home Depot, and UPS, are shedding a lot of light on how companies and customers alike can be negatively affected by hackers and their tech skills. And while dealerships may believe they're too small to garner any attention from hackers, think again. PCI itself reports that small and mid-size businesses are actually at greater risk of being breached than large businesses

Ignoring PCI Standards Can Result in Significant Fines

 

Merchants who ignored the standards and experienced a breach have reported that the fines they incurred may have been more severe than for those merchants who either complied or took steps to comply and then experienced a breach. The Ponemon Institute estimated that the average credit card data breach costs approximately $3.5 million—about 15% more than it cost in 2013. Data breach fines can range from $5,000 to $500,000 per month of non-compliance.

Burden of a Breach Transitioning to the Merchant

 

Recent changes to the PCI DSS warrant your immediate attention, particularly as merchants are increasingly being held accountable for stolen credit card information by the card issuers. As of October 2015, merchants should seriously consider replacing older magnetic credit card readers with the new EMV (chip and pin) card readers. Merchants who don’t and later experience a data breach may find that their business may own the financial responsibility for the breach.

Specifically, if you accept credit cards for payment, you are responsible for the following:

  • Reviewing and understanding the PCI Data Security Standards
  • Understanding the reporting requirements that apply to your business
  • Reporting compliance to your payment processor annually

Most dealerships fit into the small-to-medium business classification with respect to credit card processing and will be defined as level 3 or 4 merchants. The good news is that these merchants, while still expected to comply with the full PCI DSS, may have simpler reporting requirements in the form of self-assessments, particularly if the scope of the cardholder data environment is small.

People and Process as Important as Technology

 

In addition to the technological aspects of credit card use, there are people and process controls required for compliance with the PCI DSS. These controls include conducting background checks on associates handling consumer credit cards and providing periodic training to those associates. Dealers are also responsible for protecting card readers and inspecting them to ensure they have not been tampered with.

PCI compliance is not a law, but an industry standard with contractual obligations. Some states, however, have codified some or all of the PCI DSS into law, and you need to know if these regulations affect you. PCI compliance is your responsibility; CDK cannot deliver it for you. Compliance is not a one-time event, but something you must maintain, such as maintaining an automobile.

If you accept credit cards for payment, CDK recommends that you engage your legal counsel and/or a PCI Qualified Security Assessor (QSA) consultant to define a PCI DSS compliance plan that suits your dealership.

How CDK Can Help

 

CDK has worked with PCI-compliant payment processors and many clients, helping to bring DMS-integrated thirdparty solutions to market that may minimize risk and reduce the cost of securing these operations. These solutions help prevent credit card information from being processed, stored, or transmitted on your DMS.

The solutions help by:

  • Removing much of the card processing from the dealer’s network
  • Encrypting card data in the device where it is swiped or entered
  • Using the latest validated tamper-proof card readers

These criteria have the potential of significantly reducing your PCI scope.

CDK’s analysis of the PCI DSS leads us to the understanding that delivering PCI DSS-compliant solutions on a DMS network can be very complex and costly. Many systems on a dealer’s network are not owned by the dealer; thus, the dealer has little leverage to remediate these systems. Therefore, CDK has a policy in place to not build and sell credit card point-of-sale products, but to work with expert payment processing partners who know the business and keep their card processing systems compliant.

For more information, visit the official PCI web site at www.pcisecuritystandards.org. It includes comprehensive details of the PCI DSS, PTS- validated readers, certified QSAs, and more.

Share This

CDK Global
By CDK Global
Staff

Recent Insights

Car Shoppers Battle EV Myths

Car Shoppers Battle EV Myths

Once you go electric, you stay electric. At least that’s what electric vehicle drivers indicated in a CDK study earlier...
2 Min ReadDec 19CDK Global
C D K Global Research Year in Review.

CDK Global Research Year in Review

Each year CDK produces an array of class-leading research to help dealers better understand their customers, their employees and the...
4 Min ReadDec 16CDK Global
The R O I of modern Retail.

The ROI of Modern Retail

It’s old news that consumers today browse and research potential vehicle purchases online before coming into a car dealership. Ninety-five...
2 Min ReadDec 9Jen Miller
Community College Recruitment Strategies for Your Dealership.

Community College Recruitment Strategies for Your Dealership

Recruiting people to staff entry-level positions at your dealership can be a challenge. Rather than posting a “help wanted” ad...
3 Min ReadDec 6CDK Global
Dealers Deliver on Customer Experience in November

Dealers Deliver on Customer Experience in November

Inventories hit some of their highest levels in years last month and the ability to find the car they wanted...
3 Min ReadDec 2David Thomas
Energize E V Sales This Winter.

Energize EV Sales This Winter

Winter is a unique time to sell cars, especially in cold climates. This year promises to be an even more...
5 Min ReadNov 22CDK Global
The Need for Speed. How A I Is Transforming Auto Dealerships.

The Need for Speed: How AI Is Transforming Auto Dealerships

In today’s fast-paced world, time is one of the most precious commodities, and nowhere is that more evident than in...
3 Min ReadNov 20Jessie Hammonds
Dealership Recruiting and Retention in the Age of Social Media.

Dealership Recruiting and Retention in the Age of Social Media

With the U.S. unemployment rate hovering just over 4%, auto dealership recruiting and retention are daunting challenges facing dealers of...
4 Min ReadNov 19CDK Global
New Research Highlights Impact of AI in Automotive

New Research Highlights Impact of AI in Automotive

AI in the automotive industry is no longer a trend. Dealerships are experiencing gains across their operations thanks to technologies...
2 Min ReadNov 13CDK Global
Shoppers Have Harder Time Finding the Right Car in October

Shoppers Have Harder Time Finding the Right Car in October

Disruptions in inventory, whether it was due to stop sales, model year turnovers or even natural disasters, seem to have...
2 Min ReadNov 4David Thomas