If you are an online retailer or merchant accepting card payments online or storing customer payment information, you should be aware of the importance of the Payment Card Industry Data Security Standard (PCI DSS). The security applies to all businesses that store, process or transmit payment cardholder data. In this instance we are looking at specifically online merchants. The same compliance exists for those taking payments over the phone, or via a card/PDQ machine. We’ll dissect what the PCI DSS is, why it is a requirement of e-commerce websites, how to ensure your website is compliant and the potential impact of non-compliance.
First introduced over ten years ago, the PCI DSS was introduced to protect cardholder data used during payments and transactions, something deemed particularly vulnerable during the inception of online shopping. It involves a number of security criteria required to ensure that companies handling data maintain a secure environment. Failing to be compliant can not only result in expensive fines, but also a lack of trust from would-be customers.
For an e-commerce site, one of the first things you’ll need to be sure of is that you are able to collect secure payments online. Otherwise your business model becomes very complicated and is unable to harness the power and size of the internet. PCI DDS is not only a standard set out to ensure you are capable of handling sensitive data, but also a requirement to compete in the digital world we live in.
What is Payment Card Industry Data Security Standard (PCI DSS)?
In terms of security, meeting this compliance means that your business adheres to the PCI DSS requirements for security management, policies, procedures, network architecture and other critical protective measures. In layman’s terms, your site is safe and secure.
When assessing from an operational perspective, it means that you maintain a safe environment for your customers and that payment card data is being kept safe throughout every step of a transaction. Customers can be confident that they’re protected from breaches of data.
To summarise, the PCI Data Security Standard represents a common set of industry measurements that must be met to help ensure the safe handling of sensitive information. It is in place to ensure the security of cardholder data is not breached or vulnerable at any point during a transaction. Even if you are using a third party payment solution, it is your responsibility as a retailer to make sure your customer data is protected.
Does every website have to be PCI DSS compliant?
From large global corporations to small Internet retailers, compliance with the PCI Data Security Standard (PCI DSS) is vital for all merchants who accept card payments, online or offline. There are a number of different compliance levels and the size of your business will determine the specific compliance requirements that must be met. PCI DSS is intended for all entities involved in payment processing, regardless of their size or transaction volume.
PCI compliance and the internet.
For businesses of any size wanting to sell products or services online, the regulations and requirements you need to take payment cards can be somewhat daunting. However, if you fail to comply, then you risk fines and the potential of not being able to take online card payments. Something that can be potentially crushing for businesses that rely on trade from online sales.
The internet has often raised consumer concerns over sensitive data and the security of information provided to make a purchase. As technology evolves, it is essential now more than ever, not only to be able to make revenue online but also to ensure your different revenue streams are compliant and offering customer peace of mind. For example, in-app purchases that drive revenue and other differing revenue streams must offer a safe environment. For many consumers, the idea of entering payment details over the internet is a worrying exercise, but thanks to PCI DSS compliance, sites are now more trusted than ever to handle payments.
A common misconception is that if you don’t store card payment details, that you don’t have to be PCI compliant. Unfortunately, the PCI DSS standard does not just apply to the storage of credit card data but also to the handling of data while it is processed or transmitted over open networks, including the internet. That said, there are many different levels of compliance and if you choose not to store card data, it does eliminate some of the more complex compliance requirements.
Choosing a PCI DSS compliant server.
Most companies host their websites with a third party hosting provider, which is perfectly normal. Care and attention must be taken when deciding on a server, as it can make passing physical access audits difficult unless the provider is PCI DSS compliant as a Service Provider.
Am I PCI compliant if I have an SSL certificate?
No. Although we recommend having an secure sockets layer (SSL) certificate, they do not secure a server from malicious attacks or intrusions. SSL certificates provide the first tier of customer security and reassurance but this is not sufficient to be compliant. SSL only encrypts data sent between your web browser and the terminating server, where as PCI DSS compliance ensures both vulnerabilities within the browser and on the physical server itself. This provides a far safer transmission between the server and payment provider.
Why does my site need to be PCI DSS compliant?
Aside from the potential fines and security breaches involved with the mistreatment of card payment information, there are a number of reasons a site should always comply with PCI DSS. Without being compliant, you are leaving your business open to vulnerabilities that may potentially lead to large fines and penalties from card providers. Your business can be liable under the data protection act. By being compliant, your business is in a way, insured, against fraud and breaches of data security as you are following all of the guidelines set out in the auditing process.
A key functionality of an e-commerce website is to keep your customers safe whilst they are shopping. Gaining customer trust is one thing, but retaining it is important. If your company is found to be mishandling data, chances are you’ll lose any custom you previously had. Your relationship with your customers and a reason they may have visited your site is built on trust. A server breach that compromises their private information can ruin that relationship and sever the potential of any future business.
How do I become PCI DSS compliant?
Card payments online are regulated by the PCI DSS and there are 12 requirements for compliance which are categorised under the following sub headings:
- Build and maintain a secure business network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test business networks
- Maintain a policy that addresses information security
As mentioned earlier, the compliance process can be simplified significantly by removing the storage any cardholder data. This means that instead, you should use a card reader or point of sale (POS) processor that doesn’t retain data on a business system. You can also use a payment gateway or shopping cart such as those provided by PayPal, Sage Pay and World Pay. This doesn’t remove the responsibility you have for your customer’s data, but it does lower the level of compliance required. The integration of third party payment software will impact which compliance applies. You can find out your exact compliance requirements from your payment brand or acquirer.
Your website is an essential part to meeting these industry standards, so it is important you use a trusted agency, such as StrawberrySoup, when outsourcing an eCommerce website build. We will make sure your site is built and maintained in line with compliance best practice.
When it comes to taking online payments, broadly speaking, you have 2 options to choose from:
You can still take card payments and store account data using third party software, known as a payment gateway. They will store, process and/or transmit account data to collect the money and you will simplify your PCI DSS compliance. There are many different types of hosted payment gateway as follows:
- Redirecting customers making a purchase to another webpage, which after they are returned back to you site once they have completed payment.
- Using an iframe method puts a payment form that is hosted by your payment service provider inside a page on your website. The customer does not leave your website but your PCI DSS compliance remains simplified, since you’re still not storing, processing and/or transmitting account data on your own server.
- The direct post method uses a form on your website but sends the data directly to the payment service provider thereby not storing any data on your server.
Alternatively, you can take payments directly on your website by storing, processing and/or transmitting account data on your own server. You will be required to comply with a higher level of the PCI DSS. Storing account data on your server certainly has cost implications and considerations of the legal requirements for data protection. We recommend you assess all the costs involved and ensure that the payment solutions that you choose are appropriate for the level of business you anticipate.
Steps to remain PCI DSS compliant.
There are three main steps to ensure you continue to adhere to the PCI DSS on a continuous basis. Simply becoming compliant is not the end as it is not a single event, but an ongoing process. They are:
- Assess – identify cardholder data, take an inventory of your IT assets and business processes for payment card processing, and analyse them for vulnerabilities that could expose cardholder data.
- Remediate – fix vulnerabilities and do not store cardholder data unless you need it.
- Report – compile and submit required remediation validation records (if applicable), and submit compliance reports to the acquiring bank and card brands you do business with.
Many businesses ensure that they are compliant in the first instance and then forget about it until it’s audit time. Be sure you are following these regulations at all times to remove the risk of a fine or something more severe.