What Is PCI Compliance and Why eCommerce Stores Need It

PCI Compliance and Your eCommerce Store

Payment Card Industry Data Security Standard (PCI DSS) protects consumers' financial information, and PCI DSS compliance applies to any company--including brick-and-mortar and online marketing organizations. The rules often weren’t enforced in the past primarily except against major corporations that process millions of transactions. However, recent changes have extended enforcement to any organization regardless of size. B2B eCommerce companies must comply with all applicable security standards or face fines, penalties and possible cancellation of their rights to accept credit cards. Merchant responsibilities grow even more confusing because the four major credit card companies--VISA, MasterCard, Discover and AMEX--have issued their own guidelines and levels of compliance for secure credit card transactions, and these vary among the companies. The result of the various compliance levels and requirements can prove confusing for B2B companies that aren't used to dealing with online payments and compliance issues because they've always used purchase orders, in-house accounts and billing. However, more customers want to pay online, and it's critical to become compliant to protect their financial information. B2B customers increasingly conduct many operations on eCommerce platforms, and even a hint that the site could be compromised might cause customers to go elsewhere. In 2014, the average cost of data breaches was $5.9 million or $191 for each compromised transaction.[1] Although compliance reduces the risks of serious breaches, hacks are increasing to compensate. An astonishing 707,509,815 breaches were reported in 2015.[2]

What Online Merchants Need to Know About PCI DSS Compliance

Meeting financial standards usually involves B2B companies and their banks or payment processors that act as intermediaries between the five brands that operate in the PCI SSC--Discover, JCB, MasterCard, American Express and Visa International. In cases of noncompliance, the payment brands fine the banks anywhere from $5,000 to $100,000 each month for violations, and the banks usually pass along these fines to merchants or decide to terminate their relationships with offending merchants. These fines and sanctions could prove devastating to any organization, so complying with the guidelines and best practices for security has become essential for online marketers.

The Basics of Compliance

The regulations apply to any company that receives, transmits or stores protected financial information. Protected data includes cardholder names and account numbers, CAV2, CVC2, CVV2, CID, PINs, PIN blocks, and full magnetic card stripe data. There are six main areas that merchants must address to be in compliance:

  • Secure Network System architecture must include an installed and maintained firewall, and vendor-supplied default passwords must be changed.
  • Protection of Data All stored data must be protected, and any transmission of this information must be encrypted.
  • Vulnerability Management Companies must implement, use and update antivirus software and develop secure systems and their associated applications, all of which must be
  • maintained.
  • Access Control Access to data must be limited to staff who need to know, and each person must have a unique ID to gain access. Physical access to protected
  • information must be restricted.
  • Monitoring and Testing Standard Companies must regularly monitor and test their networks, security systems and internal process.
  • Information Security Policy Each merchant needs to develop and maintain a security policy and train its staff in security best practices.

These security requirements are further complicated by different levels of compliance. For example, companies that don't store cardholder data don't need to protect cardholder information but may be required to combine physical and virtual security to prevent real-time theft of data. Best practices include never storing PINs or validation codes after transmitting them for authorization to companies that process secure credit card transactions. If using a third-party hosting service, the host must meet minimum standards, and a company official should ask for documentation that their plans are PCI-compliant. For PCI compliance, Level 4 merchants handle 20,000 or fewer transactions annually, and Level 1 merchants process more than 6 million transactions each year.


Credit Card Companies Issue Their Own Standards

These requirements grow more complex because each of the credit card companies has its own security requirements and compliance levels. Visa classifies companies that process up to a million transactions as Level 4 merchants, but MasterCard classifies those same companies at Level 3. American Express has no Level 4 but might classify some of the merchants processing under a million transactions at Level 2. Level 3 merchants at American Express must provide quarterly vulnerability scans by Approved Scanning Vendors or ASVs that can identify weakness in company operating systems, applications, networks and connected devices. The other credit card companies have different scanning requirements so it's critical to check with each of them to ensure compliance. Although these requirements aren't legally binding, but it’s necessary to comply if a company wants to maintain its rights to accept electronic payments All these different levels and regulations create a minefield for B2B companies--especially those without digital payment experience. However, not accepting online payments just isn't a viable option in today's competitive markets where customer convenience and user experiences trump concerns about the excessive red tape involved in accepting payments. In fact, most eCommerce platforms accept multiple payment options for their customers' convenience.

Challenges of Protecting Financial Data

Protecting financial information requires active participation, training staff in security practices and ongoing maintenance of PCI DSS protocols. Many companies achieve successful compliance for their annual inspections but fail to maintain security throughout the year. A Verizon report found only 11.1 percent of companies maintained their vigilance throughout the year and that 82 percent of organizations complied with only part of the requirements. [3] A serious data breach, however, could expose any company to lawsuits, fines and loss of business due to the PR nightmare that follows most breaches.

Utilizing a Third-Party Tokenization Provider

One solution for storing credit card data securely is to use the services of a third-party vault and tokenization service. This method involves sending the information to an approved third-party provider's "vault" and receiving a token for each billing session. The token works just like credit card information, but merchants never have to store or protect cardholder data.

Configuring a Secure Network

Depending on a company's hosting decision, it's essential either to choose a provider that has a strong firewall configuration or to configure the platform's architecture in a way that allows outside access but protects the data that’s subject to PCI or other security guidelines like HIPAA. The best solution for B2B companies that operate a dynamic platform is hire a developer to reconfigure their site architecture to meet the many demands of a vibrant eCommerce platform. These mandates include meeting security standards, erecting barriers against malware attacks and protecting customers while still allowing access to website features and third-party resources. B2B platforms generally require security both inside and outside the firewall perimeter.

Dealing with Confusing Levels of Technical Compliance

Security in the digital age involves highly technical issues that include reconfiguring site architecture and determining what level of compliance is appropriate for your company. However, the risks aren't just fines for noncompliance but include your company's reputation with clients. A major security breach could easily damage your business beyond repair. That's why it's critical to choose a development partner that's experienced in the intricacies of PCI DSS compliance. A trusted development partner can configure your systems for automatic compliance without damaging your ability to connect with third-party resources, customers and staff members who access the platform's features with mobile devices.
[1] Kroll.com: Data Security Statistics www.kroll.com/en-us/cyber-security/data-breach-prevention/cyber-risk-assessments/data-security-statistics
[2] Safenet-inc.com: 2015 Data Breach Statistics - Breach Level Index Findings www.safenet-inc.com/resources/data-protection/2015-data-breaches-infographic/#sthash.kkpGnJo4.dpuf
[3] Computerworld.com: Challenges with PCI-DSS Compliance and Security for the cloud www.computerworld.com/article/2487457/malware-vulnerabilities/maintaining-pci-compliance-is-a-big-challenge-for-most-companies.html