PCI Data Security: The #1 Misconception That Can Harm Your Business and Its Reputation

There’s a common misconception about PCI compliance, that, if not addressed, can seriously harm the very business and professional image you’ve worked so hard to build.

The misconception? That your business does not need to become PCI compliant and renew its certification each year.

It’s easy to see how this misconception could come about. Most small businesses use a business management software, and work with third-party merchant services provider, like Constellation Payments, to help run their business.

Yes, the software provider is PCI-certified, and the merchant services provider is also PCI-certified.

However, working with PCI-certified vendors does not exempt a business from having to show their own compliance. All businesses that participate in the payment transaction process must adhere to PCI compliance standards. The process includes more than running payments through your software.

The payment transaction process includes how credit card and debit card payment information is handled at the front desk in fitness clubs and gyms, at the counter in salons and spas, on a tablet for on-the-go businesses like personal training, at the register in a retail store, and so on.

How Do I Get My Business PCI-Certified?

To become PCI-certified, your business must complete the self-assessment questionnaire annually.

Fortunately, there are many resources to help with PCI certification – ones that make it a relatively pain-free process.

At Constellation Payments, as part of our solution, each merchant is enrolled in the PCI Plus Protection Program that’s provided by well-known Quality Security Assessor, Sysnet.

What’s great about this program is that you get hands-on help. The team at Sysnet will guide you through the entire process to help you complete your self-assessment questionnaire (SAQ). And they’ll confirm all answers.

Once the questionnaire is completed, you’ll be able to download your validation certificate and then send the certificate to your merchant processor to have on file.

What Happens if My Business Isn’t PCI-Certified?

1. You could lose the ability to accept credit cards.

If there are possible breaches of card association regulations, the card brands could revoke your right to process credit cards.

2. You could get hit with a big financial loss.

Non-PCI-compliant merchants can face fines of up to $500,000.00 in the event of a data breach.

In addition, PCI non-compliance can result in penalties ranging from $5,000 to $100,000 per month by the credit card companies. These penalties depend on the volume of clients, the volume of transactions, the level of PCI-DSS that the company should be on, and the time that the company has been non-compliant. For example, the penalties for a Level 1 company that has not met the requirements for more than 7 months, could reach up to $100,000 monthly.

Merchant level identification is based on the total volume of transactions per year. See VISA’s site for detail on each level and level requirements.

3. You could lose clients and business.

All it takes is one data breach – no matter its size – to damage your business financially and inflict irreparable damage to your business reputation.

4. You’ll be subject to monthly non-compliance fees.

US businesses that have not completed their annual self-assessment questionnaire, and have not demonstrated PCI-DSS compliance, are subject to a $59.99 per month non-compliance fee.

At Constellation Payments, this fee is meant as an incentive to complete your PCI compliance self-assessment questionnaire to ensure you’re handling and processing credit and debit card payments in a safe and secure manner. Once a merchant has completed their questionnaire demonstrating compliance, the fee drops to $0.

The Benefits Beyond Data Security

Being PCI compliant doesn’t just ensure your business is following the rules and regulations. PCI compliance also helps your business growth and reputation. Knowing your systems are secure, consumers can trust you with their sensitive information and have confidence that their information is safe and protected.

Confident customers that trust you are more likely to do business with you again and become loyal, repeat shoppers. They’re also likely to recommend you to their friends.

Another key benefit of compliance: it improves your reputation with acquirers (banks and financial institutions that process credit and debit cards on your behalf).

Compliance also improves your reputation with payment brands such as VISA and MasterCard.

The Small Time Investment to Become PCI Compliant is Well Worth the Big Gains in Consumer Confidence and Peace of Mind

While it does take some time and effort to become PCI-compliant, it’s well worth it to gain customer trust and confidence — and avoid catastrophic data breaches that can destroy your business.

Not PCI compliant? Make today the day you become certified to protect your livelihood.

Or as the PCI Security Standards Council website so aptly states, “You’ve worked hard to build your business — make sure you secure your success by securing your customers’ payment card data.”

Share this article:


The Equifax Hack: What You Need to Know, Steps to Keep Customer Data Safe

The Equifax Hack: What You Need to Know, Steps to Keep Customer Data Safe photo

By now we’ve all heard the story of how 143 million Americans (roughly half the US population) had their personal data compromised due to a breach at Equifax. It’s reasonable to be concerned about the security of your personal accounts. But what about your customers’ sensitive financial data?

With so many people affected, consumers are being inundated with admonitions to update their passwords, freeze their credit reports, and reconsider to whom they entrust their data.

Facing Facts

Whether you sell Point of Sale (POS) software or use it to run your business, it’s time to face facts. After all, if one of the largest custodians of consumer identity data can be hacked, POS software companies and the companies that use that software should assume the worst about their own vulnerability.

Fact 1: This breach was avoidable.

Equifax failed to implement a patch provided by a software vendor/partner for a known vulnerability discovered months prior to being exploited at Equifax.

Key Takeaway / Action Item

Remain vigilant and create mechanisms that ensure your software and any plugins, extensions, or API-connected applications are updated as soon as possible.

Automate where feasible. There are some risks to automated updates, including the possibility that an update could cause a system failure. Only you can determine if automation is right for your company, but it should at least be considered.

Many of North America’s largest POS software brands trust Constellation Payments as their gateway specifically because integration with our PCI Level 1 compliant gateway reduces PCI scope for them and their users.

Fact 2: Equifax fumbled the ball, fumbled the recovery of the ball, and fumbled the recovery of the fumbled recovery of the ball.

Equifax discovered the breach on July 29th, yet didn’t announce it until September 7th. They sent affected customers to a website that looked like a phishing site, and the mechanism for determining whether someone was a victim of the hack was easily spoofed by several security pros who entered dummy data; only to be told their dummy identities were likely compromised.

Finally, Equifax made the egregious decision to try to sell credit monitoring to those that received the bad news, making Equifax seem at best, callous and uncaring, and at worst, opportunistic and sleazy.

Key Takeaway / Action Item

Have a breach plan before you have a breach. Who would you call if this happened tomorrow? What would be the best, most effective measures to take upon learning that your company’s data was now available to anyone willing to purchase it on the dark web? Are there PR firms, Law Firms and Cybersecurity Firms you should have on speed dial?

One thing’s for certain the old saying that “a failure to plan is a plan to fail” never felt more fitting than it does in the case of Equifax.

Recommended reading: Check out: Your Cyber Incident Response Exercise. The article takes you through key questions and scenarios that should be discussed and documented with your team before a breach occurs. This preparation is invaluable. Having a plan in place will help you and your team properly respond to a breach in an organized manner, as opposed to being backed against the wall in a “what should I do …”, frenzied state during an actual breach.

Fact 3: Equifax put revenues ahead of security.

Financial disclosure documents show Equifax’s annual overhead had not increased in several years, while profits had increased steadily. It’s been speculated that Equifax may have been slow to fix the patch, because it would be very expensive, and might influence earnings. It seems obvious that a company with as much to protect as Equifax should be increasing its security budget steadily year after year.

Key Takeaway / Action Item

Dedicate a budget to cybersecurity, choose partners who have done the heavy lifting for you, review the budget and your plan at least once a year, and never settle for the minimum protections when it comes to sensitive customer data.

Bottom Line – Prevent, Prepare and Invest

Ensuring the security of your customers’ sensitive data should always be a top priority. Your customers trust you with their payment information. You should do whatever it takes to maintain that trust. Take the time to put proper security mechanisms in place.

Should a breach occur, know how to respond. A cyber incident response plan that can be used throughout your organization is something all businesses should have.

Lastly, never cut corners on data protection just to save some money. In the long run, it could cost you the business you’ve worked so hard to build.

Monitor image courtesy of

Share this article:


The Data Security Solution Every Member Management Software Vendor Should Have in Place

We work with a lot of software vendors in the member management space.

Their customers — gym owners, personal trainers, association managers — use software like EZFacility, myVolo and 123Signup to streamline business operations and automate key tasks.

One of the most critical needs for these business professionals — due to the nature of their operation — is the need to have secure payment processing integrated with their software.

These fitness professionals and association executives need to have the ability to process recurring credit and ACH payments through their software on a continual basis, so that they can charge for items like fitness memberships, association dues, and personal training session packages.

Rather than input the member’s credit or bank draft account each and every month when a membership payment is due, the software needs to store the account information for ongoing use. Problem is … storing sensitive payment data leaves the data at great risk of being stolen.

That’s where tokenization comes in.

What is Tokenization?

Much like emptying a treasure chest of its valuables, tokenization replaces a cardholder’s primary account number (credit card number) or bank account number with a long string of random numbers that is useless to a thief if stolen.

That long string of random numbers, the token, is used when processing payments. The customers’ actual payment data is sent to a highly-secure encryption appliance and stored, eliminating the need for the merchant to store the payment data on their internal network.

In other words, fitness gyms, associations and other membership-based businesses can go about their business — processing payments the first of every month or whatever their cycle. At the time of payment, the token is retrieved and used for transactions in lieu of the cardholder’s primary account number/credit card number or bank account number.

More Benefits to Tokenization:

1. Because merchants don’t have to store the sensitive data themselves, their Payment Card Industry (PCI) requirements are reduced, which ultimately means less questions on the merchant’s annual PCI survey, reduced liability and reduced costs associated with PCI compliance.

2. Tokenization protects businesses from internal theft — from employees, suppliers, vendors or anyone else connected to the software and its data.

How is Tokenization Different than Encryption?

Encryption masks data using an algorithm to scramble credit card data so that it can’t be read by anyone without a proper key. However, unlike tokenization, that data is on the company’s internal network. So while hacking and being able to use encrypted payment data is minimal, there is still a hole and hackers could potentially reverse-engineer the data to reveal credit card information.

The Best Course of Action …

The tokenization technology we use with our software partners employs state-of-the-art encryption, utilizing a multiple-authority architecture, public-key cryptography and a FIPS 140-2 Level 3 certified Hardware Security Module to store private keys.

At Constellation Payments, we strongly advocate a 3-prong data security approach that includes 1) tokenization AND ALSO 2) point-to-point encryption to encrypt data from the moment it enters the point of sale software and 3) EMV technology to reduce card fraud resulting from counterfeit, lost or stolen cards.

This layered data security method is the best course of action for all software that includes point of sale and recurring membership and/or subscription-based payment processing capabilities.

If you have any questions about our tokenization process, or how Constellation Payments can assist you by delivering payment processing solutions integrated with your point of sale software, feel free to give us a call at 888.248.7060 or send an email to

Angela Summa is the Vice President of Constellation Payments. She is responsible for business development, implementation, channel partner support, and merchant support. Her goal is to ensure businesses offer the highest level of payment processing security and ease of processing to customers. You can reach Angela by sending an email to

Image Courtesy of Pixabay


Subscribe-to-Constellation-Payments-Blog-How-Payments-Are-DoneSubscribe to our Blog, How Payments Are Done!

Get continual educational guidance and strategies on important payment topics including: data protection, tokenization, EMV, and more.

Visit, enter your email address into the ‘Subscribe to Our Blog’ box and we’ll send our best advice to your inbox.

Share this article: