Comment – Are you ready for PCI compliance?
Recently publicised high level data breaches occurring in organisations has reminded us all that online payment fraud remains a constant challenge for e-retailers and has further reinforced the importance of achieving PCI compliance for your online business.
By Michael Norton
PCI DSS is a multi-faceted security standard that includes requirements for data security, helps organisations that process card payments prevent credit card fraud, hack and various other security vulnerabilities and threats.
From October 1 PCI compliance will go from best practice to mandatory. All merchants processing less than one million transactions annually must process using a PCI DSS certified provider or provide certification of their own PCI DSS compliance to their acquiring bank. This mandate follows changes to Visa’s Account Information Security Programme.
Acquiring banks are required to provide reports to Visa and MasterCard on all merchants with non-compliance issues. The resulting fines levied by the card schemes can be high. Daily fines can be levied and card processing facilities can be suspended if your system subsequently experiences a security breach.
A commonly held myth is that merchants need only complete a self-assessment questionnaire to become PCI compliant. If they are using their own payment pages merchants need to ensure that they comply with all 12 PCI DSS requirements.
Quarterly scans of the business network need to be done if cardholder data is stored, transmitted or processed on the network. This also affects MOTO (mail order/telephone order) merchants that process card payments via a virtual terminal, even if they do not also process payments online.
PCI compliance can be very complex and costly in more ways than one for online businesses with limited resources. To tackle online debit and credit card fraud the card schemes are constantly updating the security standards. Rigorous monitoring of PCI DSS is often called for, which can be especially difficult for smaller businesses that often don’t have the in-house expertise to manage it.
To remove the burden of securing your site, merchants would do well to opt for a hosted payment solution, so security management is outsourced to a third-party. This is a real advantage given the difficulty of keeping abreast of the changing nature of fraud techniques and by association, fraud-busting measures. As the security landscape throws up new challenges, merchants that have opted for a hosted payment solution can be confident of being updated and continually protected by default.
Another major advantage to being able to visibly demonstrate compliance via an approved industry service provider is that it helps instil trust in your brand. Carrying a recognisable payment logo on a website, such as the PayPoint shield for example, reassures customers that the merchant is working with a PCI DSS compliant provider.
Merchants can contact their payment service providers who should be able to offer advice based on the merchants payment processing package. PayPoint.net has also issued a guide to getting PCI compliant with information on what steps you need to take to meet the requirements.
Michael Norton, managing director of PayPoint.net