PCI Compliance and Your Website: What You Need to Know
by Arina Smith Ecommerce 07 November 2018
eCommerce seems like a foolproof business idea — until you look closely. Though e-commerce continues to steal more and more of the retail market, growing an expected 200 percent between 2014 and 2020, e-commerce entrepreneurs have to jump through several hoops before their online stores can open their digital doors.
One of the tallest, tightest hoops is PCI compliance. Before any business can accept card payments, it needs to prove to the payment card industry (PCI) that it has a certain security in place to keep payment information private. If you are about to launch your brilliant e-commerce venture, you might want to hold off until you know more about how PCI compliance applies to the web.
More About PCI Compliance:
The Payment Card Industry Data Security Standard abbreviated as (PCI DSS, or PCI for short) is a mandate written and enforced by the Payment Card Industry Security Standards Council. In 2004, after noticing and disliking an increase in fraud, the five major card companies — to include MasterCard, Visa, American Express, Discover and JCB — combined to create rules regarding security. Though all five companies had their own security rules, the PCI DSS, as it became, makes for a more consistent ruleset that merchants can more easily adhere to. Additionally, the five companies combine their power to ensure that the rules are followed by everyone and that punishments for non-compliance are uniform.
You can read the compliance standards in greater detail on the Payment Card Industry Security Standards Council website, which is necessary if you hope to maintain compliance with your business and website on your own. In general, the standards that apply to your business depend largely on the number and size of transactions you process every month. Still, you can get a sense for what you need to do to become compliant by understanding the six “control objectives,” as follows:
- Building and maintaining secure systems and network
- Protecting cardholders’ data
- Maintaining a vulnerability program of management
- Implementing strong access controlling measures
- Regularly monitoring and testing networks
- Maintaining an information security policy
It is a merchant’s acquiring bank that is at risk of fines, amounting to anywhere from $5,000 to $500,000 per month depending on the infraction, the perpetrator and other variables. However, acquiring banks can (and often do) pass those fines onto non-compliant merchants, and merchants face other penalties; for example, they can lose the ability to accept credit card payments, or they can face the loss of reputation and public backlash due to insecurity. Thus, it is well worth your effort to ensure your e-commerce website is fully compliant with the PCI DSS.
Is Your Website Already Compliant?
If you are like hundreds of e-commerce businesses that utilize e-commerce platforms to sell wares, you might already be PCI compliant. Then again, you might be trusting a web host cart provider that you shouldn’t, leaving you non-compliant and open to severe penalties.
A good way to verify is by using a PCI compliance scan. This service will survey your website for vulnerabilities through which cyber criminals might gain access to your customers’ card information. Then, scan providers can suggest changes to your website such as to ensure that cardholder data remains appropriately secure. Some PCI compliance firms will also assist you in generating and submitting compliance reports to your acquiring bank and the Payment Card Industry Council.
It’s worth considering signing up for such a service if you don’t want to invest too much time, energy and money into understanding PCI compliance. Otherwise, you must meticulously research your web host and cart provider while keeping a tight leash on your employees on an ongoing basis. Fortunately, the PCI council does offer resources on their website, to include a list of validated payment applications, which are accepted as PCI compliant already. Still, you should prepare for an interminable battle against non-compliance; as software is updated and hardware is replaced, your compliance might change, and you don’t want to be surprised be a several-hundred-thousand-dollar fine or an inability to accept card payments.
If you have already launched your e-commerce website, if you have already accepted card payments, you might already be PCI compliant — but it doesn’t hurt to check. By setting up regular compliance scans and monitoring your compliance on a regular basis, you can avoid the severe costs that come paired with website insecurity.