Simplifying PCI: What are the risks, and how can merchants remove the burden of compliance?
Guest post from Patrick Juan, Director, Solutions Consultants, Ingenico Enterprise Retail.
Payment Card Industry (PCI) requirements are a minefield of acronyms and, for many merchants, it can be difficult to understand exactly what they need to do to ensure they are compliant. In brief, the PCI standards are a set of security compliance frameworks that merchants must maintain in order to take physical and/or digital card payments either in store, online or on their mobile. Without PCI compliance, merchants will not be able to work with an acquirer and may also be fined by the card schemes such as Visa or Mastercard. To complicate things further, the level of compliance and subsequent reporting required depends on the total volume of card transactions processed by the merchant annually online and in store.
There are two principal standards that merchants must be aware of both in store and online: PIN Transaction Security (PCI PTS) for payment terminals and Data Security Standard (PCI DSS) for payment gateways. Merchants need to manage their payments assets adequately, ensuring sensitive cardholder data is secure. To do this, they should use a PCI Point to Point Encryption (P2PE) solution. This refers to the process of card data being encrypted at source on a PIN pad and staying encrypted until reaching a PCI DSS compliant gateway. By utilising a PCI P2PE solution, the merchant’s PCI compliance burden is much reduced. In doing this, merchants should use a provider that is P2PE certified.
This is all easier said than done, however, the important thing to remember is that there are experts available to help you navigate PCI so you can concentrate on your business. Here are some of the frequently asked questions and queries I hear from merchants.
What are the potential risks of PCI compliance for merchants?
Not complying with PCI regulations can result in fines and extra costs when processing card payments. However, even more importantly, if a merchant is a victim of a data breach which exposes sensitive card holder data and is not PCI compliant, then they are likely to receive even larger fines. At worst, we have seen fines that reach tens of millions of dollars.
What are the complexities involved with ensuring PCI compliance?
Compliance must be maintained and reported every year. The PCI standards themselves also evolve every three years. As a result, merchants must remain continually vigilant in order to remain compliant in a system that is necessarily fraught with complexities. Large merchants will need to work alongside specialist consultants called Qualified Security Assessors (QSAs) who ensure that merchants uphold the 290 requirements defined by the PCI Council. In order to maintain these requirements, the merchant will have to put in place measures including network scans, penetration tests and staff training, while ensuring their payment devices are also managed properly. This process can cost over one million GBP for large merchants.
How can Ingenico Enterprise Retail help simplify the PCI minefield?
Ingenico Enterprise Retail payment gateways, both in store and online, have upheld the highest level of PCI DSS for many years. As well as this, its in store payment gateway was one of the first to be fully PCI P2PE compliant. So, when a merchant uses an Ingenico P2PE solution, the burden reduces from meeting over 290 requirements to filling in a short self-assessment questionnaire under the direction of a QSA. Essentially, the PCI DSS compliance exercise becomes a box-ticking exercise.
On top of easing their security fears, merchants can benefit from Ingenico CRM tokens, which act as the secure form of a card number so that merchants can track and understand their customers behaviours, both online and in store. When a customer shops online, the merchant normally has access to much more of their information, such as name and email address. However, when a customer shops in store with the same card, merchants will be able to recognise not just the card but the customer’s identity. Of course, any customer data will need to be managed according to GDPR.
How else can merchants make sure their customers have a secure, yet swift payment experience?
Merchants can work alongside a provider that is PCI compliant and has the scale to offer a reliable, fast and scalable platform. Reliability is imperative so that transaction behaviour can be monitored to detect anomalies. For example, the ability to compare the current number of transactions declined on the same day in a previous week, enables merchants to detect problems with either a specific store or acquirer before the merchant’s head office even notices the issue. Speed is increasingly important in a digital climate where consumers expect to make transactions almost instantly. As well as this, scalability enables merchants to expand problem-free when they gain new customers, open new stores or move into the online or mobile domains.
In 2019 alone, Ingenico payments gateways processed 7 billion transactions both in stores and online, for small, medium and large businesses. All our retail partners benefit from the peace of mind that their PCI compliance requirements are met no matter where our solution is in their payments cycle, as well as the security this provides. They also benefit from our ability to scale with them; the Ingenico platform can cope with several million transactions per day.
To learn more about PCI or to find out how your company can benefit from the same assurances, get in contact with Ingenico Enterprise Retail today at www.ingenico.com/omnichannel.