PCI DSS Compliance


Why PCI DSS Compliance is important for everyone

Home > Blog > PCI DSS compliance

Published: 12 November 2018


When you run an online business, security is a crucial issue. You need to do everything to decrease the risk of payment and data fraud that could damage your brand’s reputation. Data breach is a serious problem and it could cause a loss of sales and customers that will never return to your site. It also comes with potential financial liabilities such as fines, penalties, fees or higher costs of compliance in the future.

The Payment Card Industry Data Security Standard (PCI DSS) provides steps that all merchants who process card payments, store or transmit credit, debit, or prepaid card information need to follow to provide secure transactions. The main purpose of the PCI DSS is to reduce the risk of debit and credit card data loss. It suggests how this could be prevented, detected, and how to react if potential data breaches occur. It provides protection for both merchants and cardholders.

It is vitally important for your customers to know that their data, on your website is secure. They use their debit or credit cards to purchase products or services and risk financial losses. There is also an identity theft problem. The number of frauds in recent years has grown, so you have to make sure that sensitive data on your website is protected.

Author:

author

Chris Dwyer

Payment System Architect


See all the latest articles:

PCI DSS compliance is mandatory for every eCommerce merchant that accepts credit or debit card payments on their website. All information entered by customers is sensitive data, so it must be well-protected.

“While PCI DSS compliance is not a law, that doesn’t mean being out of compliance isn’t a big deal,” the mobile payment vendor, Square said. “In fact, a 2015 Verizon Data Breach Incident Report found that there were almost 80,000 data security incidents this year [2016]. So it’s more important than ever that your payment processing life cycle is secure.”

And importantly, PCI DSS compliance is also required for sites that outsource their card processing to a third party (eg PayPal, Stripe, Square etc). Just because the eCommerce website may not touch cards on the online process, there are many other ways that a merchant may be non-compliant. Let’s take a look at some of the issues here.

PCI DSS compliance applies to ANY organization, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As (‘DBA’). In cases where a merchant corporation has more than one DBA, Visa acquirers must consider the aggregate volume of transactions stored, processed or transmitted by the corporate entity to determine the validation level. If data is not aggregated, such that the corporate entity does not store, process or transmit cardholder data on behalf of multiple DBAs, acquirers will continue to consider the DBA’s individual transaction volume to determine the validation level.

why australian businesses are leaving their bank

Compliance levels

Merchant levels as defined by Visa

  • Level 1. Any merchant — regardless of acceptance channel — processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
  • Level 2. Any merchant — regardless of acceptance channel — processing 1M to 6M Visa transactions per year.
  • Level 3. Any merchant processing 20,000 to 1M Visa e-commerce transactions per year.
  • Level 4. Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year.

It is estimated that over 76% off all global eCommerce merchants who fall into Level 4 reporting do not fulfil their compliance requirements. This appears to be mainly due to lack of knowledge rather than any avoidance issues.


How is this possible?

It appears that many smaller merchants simply outsource their card processing to a third party. Merely using a third-party company does not exclude a company from PCI DSS compliance. It may cut down on their risk exposure and consequently reduce the effort to validate compliance. However, it does not mean they can ignore the PCI DSS. A smaller merchant, processing less than 20,000 eCommerce transactions per year fully outsourced will still need to complete a Self Assesement Questionaire – and it just depends on which one you need.

smart new way to send money overseas


More details on PCI DSS

Merchants store cardholder data and sensitive authentication data on their websites, so it needs to be secure and kept private. Technology is developing so fast that there is a growing number of fraud activities and businesses face many challenges. That’s why every merchant or payment service provider with card payment solutions must be PCI DSS compliant. Doing business should be based on trust (between merchants and customers) and PCI DSS compliance helps improve the level of security.

Becoming PCI DSS compliant is connected with undergoing a PCI DSS auditing procedure to meet the requirements of the PCI Data Security Standard. It depends on the amount of processed transactions per year and it is separated into 4 different levels. Level 1 is for merchants that process the highest amount per year, and level 4 is for merchants that process the smallest amount.


It’s not just an IT thing

PCI DSS compliance applies to both the administrative and technological side of running a business and is updated regularly. PCI DSS is an ongoing process and responsibility, so you need to add a security strategy to your business. Analyze your website and update it regularly to make sure that all vulnerabilities that could expose cardholder data are fixed.

PCI DSS guidelines include 12 requirements for merchants and payment processors, grouped into six areas. They are:

  • Build and maintain a secure network and system
  • Protect cardholder data
  • Maintain a vulnerability management program
  • Implement strong access and control measures
  • Implement strong access and control measures
  • Maintain an information security policy

Businesses of all types, small and large, suffer from data breaches. Attackers focus on any vulnerabilities. They know the majority of small businesses don’t have enough protection and many times don’t even implement basic security solutions. Large players, on the other hand, can afford to have expensive security.


How to reduce the risk

When you choose a payment gateway, you only have to be compliant for the most basic level – around 24 questions and no annual scanning. The payment provider will take care of this as well as payments and data security. Even if the information is entered on your website, it is protected and encrypted by the provider. There are many things to consider when choosing a payment gateway, but you want to choose the one with the highest PCI level to make sure payments processed on your page will be better protected. Make a smart decision and give your customers peace of mind. Some payment gateways use advanced technologies, such as tokenization, so you can be certain that sensitive data won’t touch your server.

One of the most important recommendations is if you don’t need cardholder data, don’t store it.

As you can see, being PCI DSS compliant comes with many benefits. It’s crucial to your customers’ security and affects your business reputation.

There are several advantages to becoming PCI DSS compliant:

  • It protects customer’s card data and reduces the risk of a data breach
  • It helps you to detect and prevent both physical and network based attacks.
  • It boosts customer’s confidence with using card payments for payments.
  • It offers a security standard for you to follow.
  • It can improve operational efficiency.
  • It reduces the cost of a data breach.


PCI DSS is not just an “IT problem”

One of the challenges with PCI DSS compliance is the myth that it is strictly an IT problem. Since a major part of compliance has to do with network security, it clearly falls under the umbrella of technology. The reality though is that attackers are more likely to find inroads to your sensitive card data through non-technical methods and people. Employees working with card payment systems must be trained on how their job role ensures within PCI DSS compliance.

You should clean up your PCI DSS compliance before the end of the year. PCI DSS compliance is not a once-and-done project, however. It requires you to meet all of the guidelines each year to maintain compliance.


How can we help?

Contact us to see how we can help you with your compliance - from as little as $199.



Get notified of new articles:


Similar articles: