Top 4 PCI Audit Tips for Collection Companies
Collection companies are subject to PCI compliance audits, just like any other company that deals with the personal identifying and financial information of customers. This is true whether the collection company has taken any payments from a customer or not. Even having their account on the books, having been assigned it by the original creditor or purchased it from them, means the collection company has valuable and precious identifying information on that customer that hackers would love to gain access to and peruse. This includes Social Security numbers, birth dates, addresses, phone numbers (which are perfect for calling to scam customers), and old credit card numbers. If the collection company has taken any payments from a customer, then they also have banking and/or new credit card information on that person. All of this must be kept safe from hackers through PCI compliance.
As a collection company, you know that PCI DSS requires an annual audit to ensure you remain in compliance with their standards of protection for customer information. If you are not in compliance, you can be fined. If a data breach occurs because of your non-compliance, the fines are larger, plus you have bad publicity for your company on top of it. Obviously, being in PCI compliance is in your company’s best interest.
Here are some tips for preparing for your annual PCI audit, to ensure you are always in compliance and get glowing reports from your auditor:
1. Make Sure Your Firewall is Updated
One of the most basic things you can do as a company regarding the safety of your customers’ financial and personal information is to make sure your firewall is of the most up to date variety that is available. The firewall includes anti-virus and anti-spyware programs, as well as encryption to get into your company’s database. Your auditor will expect your company to have an up to date version. It is your first line of protection against hackers. Invest in the very best, and set it up for automatic updates. If you hear of a newer version you can purchase, do so. This is important, because hackers are continually honing their skills, and looking for ways to get past the security programs currently on the market. While the manufacturers of these programs do their best to create patches and updates for new security issues, they sometimes have to come out with a whole new product. Make sure that product is protecting your company database when the auditor arrives.
2. Keep Access to Certain Company Databases Restricted
Not every one of your employees requires access to every company database. Giving access to all databases to everyone at your company is just irresponsible, and will certainly be frowned upon by the PCI auditor. Give access credentials to databases on a need to use basis. Keep a central security department for IT for your company that monitors who logs into what databases and when. This way, you will ensure only the correct people are accessing the correct databases, and you will also know if any unauthorized accessed were attempted, either from an employee within your company or someone outside of it, such as a hacker. When employees only have access to the databases they require to do their jobs, you can be more confident in the security of your company’s precious information. There will be less opportunity for unscrupulous employees to give out sensitive information to others, or to use access to databases they don’t need for nefarious purposes. While you will certainly vet each employee you hire carefully, you just can’t be sure everyone on your team is trustworthy, especially in an environment where lots of people are employed, such as a collection company.
3. Make Sure Your Employees are Using Best Practices for Cybersecurity
Cybersecurity should be a basic part of your training for new employees, and a clear expectation for everyone who works for your company in all departments to follow each time they log in. Security protocols should be updated periodically according to the latest security threats and best practices in the cybersecurity industry. When best practices are updated, you should have company-wide seminars to give your employees the updated information. Using the IT department of your company, you should perform periodic security checks on your employees to make sure they are following your company’s security protocols on a consistent basis. The PCI auditor will be looking at this type of thing, and you want your company to receive stellar evaluations.
4. Hire a Third-Party Auditor
One of the most effective things you can do as a collection company is to hire a third-party auditor to make unscheduled visits throughout the year. Three to four times a year is ideal. The auditor can look at what your company is doing, and let you know where you are strong on security, and where you need to improve. The third-party auditor will also tell you exactly how you can improve in areas where your security isn’t quite meeting PCI standards, and will work with you on a consulting basis to make sure you bring things up to compliance. I.S. Partners, LLC is a third-party auditing company that specializes in getting companies up to PCI compliance and assists them in staying there. With unscheduled audits from I.S. Partners, LLC, you can be sure the auditors are seeing your company as it really is. Your employees won’t be acting differently just because they know an auditor is coming. You get more accurate results this way.
I.S. Partners, LLC will also work silently among your employees during their audits, blending in carefully so work is not disrupted as they do their jobs. When you get regular audits like this, you will be confident your company is always ready for its annual PCI audit, and will get glowing reviews each time, because your security standards and practices will always be of the highest quality. Call us at 215-675-1400 or receive a PCI Quote here!