If you sell or shop online, then chances are you’re well aware of the personal data you are required to submit upon payment – but how secure is your personal information and what happens when your information is at risk of being breached?
PCI legislation has been an increasing concern in the digital sphere, changing the way in which online business owners store and secure shopper’s data. To make it simple, we’re here to inform you on your PCI requirements, changes to data breach notification laws and what happens if you were to experience a data breach.
Short for Payment Card Industry Data Security Standard, PCI-DSS (or PCI) refers to a set of measures applicable to all companies who accept credit card payments. If your company is currently accepting card payments and processing, transmitting or dealing with customer cardholder data you must host your data with a provider who is PCI compliant.
Being PCI compliant means adequately adhering to a set of requirements pertaining to security when accepting, processing or storing cardholder data. PCI compliance is mandatory for all Australian businesses regardless of size who are utilising credit or debit card information.
In February 2018, the Australian government enforced a series of data breach notification laws, making it a requirement for businesses to alert the Australian Information Commissioner and all of its clients if they get hacked or if there has been a data breach. Implemented in a bid to minimise the risk and damage of cyber-attacks on both individuals and businesses, these new laws are designed to keep consumers informed of potentially harmful threats that could put their personal or private information at risk.
Under these new laws, businesses who have experienced a breach of data have 30 days to report the incident to the Office of the Australian Information Commissioner and inform all potentially affected clients within their database system.
These laws are applicable to all government agencies and organisations governed by the Privacy Act 1988. This includes health service providers, businesses that sell or purchase personal information and credit reporting bodies.
If you’re a business owner with an annual turnover of under three million dollars, you fall outside this legislation and these laws are inapplicable, as they are governed by state government organisations and local councils.
A data breach constitutes any action, intentional or otherwise, by a business that results in an individual’s personal information being compromised. This could occur as a result of information being lost, stolen or leaked to an outside body. Under data breach legislation, this includes personal information, contact details, credit reporting information, credit eligibility information and tax file number information.
If your business has an annual turnover of more than three million dollars and the data breach is likely to result in serious harm to any individuals who have shared their personal or private information with you, you must report this incident to the Office of the Australian Information Commissioner within 30 days. This report will disclose the type of data breach made, the data affected by this breach and how you are going to take steps in rectifying this situation. Failure to report and take affirmative action to rectify can result in a penalty of $360,000 for individuals and $1,800,000 for bodies corporate.
However small businesses are not off the hook. If you’re a business owner with an annual turnover of less than three million dollars, you will still need to take appropriate steps in ensuring damages are contained and to assess any current and potential damages.
Investing in an advanced payment system that is tier-one PCI-DSS compliant ensures the highest security measures as set by Visa and MasterCard, meaning you can rest assured any personal information is being held to the highest quality standard.