Published: 12 November 2018
When you run an online business, security is a crucial issue. You need to do everything to decrease the risk of payment and data fraud that could damage your brand’s reputation. Data breach is a serious problem and it could cause a loss of sales and customers that will never return to your site. It also comes with potential financial liabilities such as fines, penalties, fees or higher costs of compliance in the future.
The Payment Card Industry Data Security Standard (PCI DSS) provides steps that all merchants who process card payments, store or transmit credit, debit, or prepaid card information need to follow to provide secure transactions. The main purpose of the PCI DSS is to reduce the risk of debit and credit card data loss. It suggests how this could be prevented, detected, and how to react if potential data breaches occur. It provides protection for both merchants and cardholders.
It is vitally important for your customers to know that their data, on your website is secure. They use their debit or credit cards to purchase products or services and risk financial losses. There is also an identity theft problem. The number of frauds in recent years has grown, so you have to make sure that sensitive data on your website is protected.
PCI DSS compliance is mandatory for every eCommerce merchant that accepts credit or debit card payments on their website. All information entered by customers is sensitive data, so it must be well-protected.
“While PCI DSS compliance is not a law, that doesn’t mean being out of compliance isn’t a big deal,” the mobile payment vendor, Square said. “In fact, a 2015 Verizon Data Breach Incident Report found that there were almost 80,000 data security incidents this year . So it’s more important than ever that your payment processing life cycle is secure.”
And importantly, PCI DSS compliance is also required for sites that outsource their card processing to a third party (eg PayPal, Stripe, Square etc). Just because the eCommerce website may not touch cards on the online process, there are many other ways that a merchant may be non-compliant. Let’s take a look at some of the issues here.
PCI DSS compliance applies to ANY organization, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As (‘DBA’). In cases where a merchant corporation has more than one DBA, Visa acquirers must consider the aggregate volume of transactions stored, processed or transmitted by the corporate entity to determine the validation level. If data is not aggregated, such that the corporate entity does not store, process or transmit cardholder data on behalf of multiple DBAs, acquirers will continue to consider the DBA’s individual transaction volume to determine the validation level.
Merchant levels as defined by Visa
It is estimated that over 76% off all global eCommerce merchants who fall into Level 4 reporting do not fulfil their compliance requirements. This appears to be mainly due to lack of knowledge rather than any avoidance issues.
It appears that many smaller merchants simply outsource their card processing to a third party. Merely using a third-party company does not exclude a company from PCI DSS compliance. It may cut down on their risk exposure and consequently reduce the effort to validate compliance. However, it does not mean they can ignore the PCI DSS. A smaller merchant, processing less than 20,000 eCommerce transactions per year fully outsourced will still need to complete a Self Assesement Questionaire – and it just depends on which one you need.