PCI Compliance For E-Commerce Websites
If you accept, store or transmit credit or debit card data of any kind, your business must be PCI-compliant.
It doesn’t matter if:
- You’re a freelancer or a multinational
- You run a charitable or for-profit enterprise
Compliance is a payment Card industry (PCI) requirement for all card-handling organizations. The data security guidelines that make up this requirement are designed to help safeguard sensitive financial information and reduce payment fraud.
However, PCI compliance is especially important for:
- E-commerce merchants. Thieves often exploit the anonymity that online shopping provides. The more data security protections you have in place, the less vulnerable you are to fraudulent attacks.
- Small business owners. Criminals frequently target smaller businesses because they lack the IT and data security expertise to protect themselves.
If you’re an e-merchant who runs a small business, how do you become PCI-compliant?
PCI Compliance at a Glance
PCI compliance encompasses 12 broad security measures designed to prevent credit and debit card data from falling into the wrong hands.
Many of these security steps are obvious, such as:
- Not using the default passwords that come with software applications or hardware
- Restricting access to payment data on a need-to-know basis among your employees, vendors and suppliers
These are basic precautions every business owner should take, even in the absence of PCI requirements.
However, there are additional steps that may be unfamiliar if you’ve never gone through the compliance process. Some of the bigger ones include:
- Taking an annual Self-Assessment Questionnaire (SAQ). This is an internal audit in which you analyze the health of your current payment environment — through a series of yes/no questions.
- Conducting a vulnerability scan. This is an external audit that analyzes potential security threats. These evaluations are usually conducted by an Approved Scanning Vendor (ASV).
- Installing a Secure Sockets Layer (SSL) certificate. This security credential establishes an encrypted connection between your e-commerce site and end-users. With this SSL certificate in place, the “http” of your domain comes appended with an “s” at the end.
- Protecting your IT infrastructure. Under current PCI rules, merchants are expected to install relevant patches, upgrades, virus software and malware detection — for all of the devices they use to run their businesses.
- Encrypting cardholder data. Any credit or debit card information must be properly encrypted, especially when this data is sent across unsecured, public networks.
In addition to these official requirements, there are a number of security steps that fall more under “best practices.”
As an e-commerce merchant, for example, you should require all online shoppers to provide their three-digit card verification values (CVVs) and billing address during the checkout process. Thieves are less likely to have access to these additional payment details. By requesting this information, you can reduce the amount of fraud within your online store.
Is PCI Compliance Truly Worth the Cost?
Security checks, vulnerability scans and software upgrades all require substantial investments of time and money. Many merchants are hesitant about taking on these ongoing costs.
However, noncompliance comes with its own costs. For starters, your bank or processor might hit you with fines that can range anywhere from $5,000 to $100,000 if your business is breached.
Moreover, noncompliance also increases your fraud exposure. So, in addition to covering losses out of pocket, you could also face litigation and legal fees — not to mention all those lost sales stemming from diminished consumer confidence.
Furthermore, if your business gets hit with enough fraudulent attacks, you risk losing your merchant account altogether.
Have More Questions About PCI Compliance?
This article isn’t meant to scare you, but there are consequences for businesses that decide to avoid or delay the PCI compliance process. These dangers will be more pronounced as data breaches and cyberattacks become more common throughout the payment industry.
Becoming PCI-compliant isn’t easy. Nor is it a one-time fix, since fraudulent strategies continuously evolve. But compliance is necessary for any organization that relies on card-based payments.
Author bio: Kristen Gramigna is Chief Marketing Officer for BluePay, provider of fast, easy and secure payment processing solutions. She brings more than 25 years of experience in the bankcard industry in direct sales, sales management and marketing.
Also published on Medium.