Is Your e-Commerce Business PCI Compliant?
To be successful, an e-commerce merchant needs several things, like customers and the ability to accept credit cards. But while being able to process credit card transactions is important, keeping those transactions and their data secure is just as critical. In 2017, there were almost 42,068 data security incidents — just the kind of incidents merchants can potentially avoid by complying with Payment Card Industry Data Security Standard (PCI DSS) security standards.
For every merchant that handles credit card data, PCI DSS security standards aren’t just a suggestion. They’re a requirement. So, when merchants understand, adopt and adhere to these guidelines — improving security throughout the entire payment cycle — that’s good news for customers and retailers.
What Is PCI Compliance — and Why Is It Important?
The PCI Standards Council established the PCI DSS payment security standards in 2006 in response to increasing data theft. This council (composed of Visa, Mastercard, American Express, Discover and the Japanese Credit Bureau) wanted to ensure all merchants that accept, process, store and transmit credit card information do so in a way that reduces the risk of fraud, data breaches and data theft.
More than 80% of data stolen in breaches is payment card data, illustrating just how important it is for merchants to be able to secure sensitive customer data while they are in control of it. To do so, every merchant handling payment cards must follow these 12 PCI-established control objectives:
- Install and maintain firewalls to protect cardholder data.
- Create system passwords and other security parameters (instead of using vendor-supplied defaults).
- Protect stored cardholder data.
- Encrypt cardholder data transmissions.
- Develop and maintain secure systems and applications.
- Regularly update all antivirus software.
- Restrict business access to cardholder data to a need-to-know basis.
- Restrict physical access to cardholder data.
- Assign unique IDs to each person with computer access.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security.
A merchant’s transaction volume, card handling method and security breach history determine how often and what kind of security audits and scans are required; many merchants may be eligible to conduct a self-assessment, while larger merchants or those experiencing previous breaches will need to have an independent Qualified Security Assessor perform the audit.
There’s no grey area when it comes to compliance. When merchants undergo their regular audits — or when an alleged violation triggers an audit — businesses either pass with 100% compliance or they fail. And those businesses that fail risk compromising their customers’ sensitive data, like credit card numbers, CVV numbers and addresses.
In fact, most major data breaches have occurred at companies that weren’t PCI-compliant at the time of the breach, which should give merchants added incentive to ensure they implement a solution that helps them become — and stay — compliant at all times.
The Consequences of Noncompliance
Compromised data isn’t the only thing at risk if merchants don’t comply with established rules. While PCI compliance isn’t a law and penalties aren’t often well-publicized, merchants face substantial repercussions for noncompliance, including:
- Fines and penalties of $5,000 to $100,000 per month that are passed down from the acquiring bank to the merchant
- Fewer sales and increased reputational damage, as customers give their business to other, secure merchants
- Costly audits of and investigations into a business
- Risk of having merchant accounts terminated
How Businesses Can Become PCI Compliant
Compliance isn’t easy to achieve, particularly for small and midsized businesses. In fact, 65% of small businesses don’t meet minimum compliance requirements because of the complexity surrounding the regulations and the expense of implementation.
Here are some steps online merchants should take to ensure they’re protecting sensitive customer data:
- Educate themselves on what their obligations are when it comes to processing credit cards.
- Work with PCI-compliant vendors to ensure they secure the entire payment life cycle.
- Change default passwords on network equipment.
- Establish a secure firewall between Internet connections and the system containing customer data.
- Have an independent Qualified Security Assessor evaluate processes and systems.
Consider Outsourcing PCI Compliance to a Trusted Partner
When it comes to PCI DSS compliance, merchants don’t have to go it alone. Many service providers and platforms — like PayPal, Stripe and Shopify — offer built-in PCI-compliant solutions that take care of compliance for the merchant. Before tackling solutions on their own, merchants should check with their service providers to see what PCI compliance efforts they might handle.
However, even if merchants outsource their PCI compliance, they are still responsible for ensuring that these outsourced services remain compliant.
Merchants looking to protect their growing business from the penalties and lost business that can come from violating compliance regulations should consider outsourcing fraud protection to PCI-compliant solutions, like ClearSale.
Contact a ClearSale analyst today to see how our fully compliant, comprehensive fraud protection solution can protect your business and your customers against the rising risk of fraud.