Payment card Industry (PCI) Compliance is a requirement for businesses in credit card processing environments. All businesses that process, store, or transmit credit card data electronically are expected to comply with these guidelines, for the obvious reason of protecting cardholder’s data. While seasoned business owners understand the essence of staying on the right side of PCI compliance, new merchants are often caught by surprise as they prepare to receive payments from customers. By the end of this article, it’ll be clear why complying PCI DSS is crucial for entrepreneurs that intend to maintain healthy bottom lines (a vital goal of every business).
PCI Compliance was a product of necessity where in the late 1990s and early 2000s, electronic data interchanges and teleshopping paved the way for the modern-day e-commerce store. Fast forward to today, and the thought of living without eCommerce seems complicated, unfathomable, and an inconvenience to many. Business people saw a whole range of opportunities to increase revenues offer their customers service round the clock, and venture markets beyond geographical boundaries.
But this happened
The new upheaval of eCommerce trade also caught the eyes of the bad guys. The rise of eCommerce provided a fertile environment for crafty cybercriminals to infiltrate payment networks and card processing systems for illegal gains. Their activities ranging from stolen identify, to vandalism and even theft of classified government information. These technologically savvy individuals did not spare anyone. They targeted large corporations, naïve individuals, and preyed on small businesses, especially startups who took time to put security measures in place. To obtain personal information, credit card scammers use all sorts of tricks ranging from Wi-Fi hotspots to phony phone calls and emails. A report by Anti-Phishing Working Group research found that by 2018, there was a 46% increase in phishing websites.
In another research, 80-90% of log-in traffic to retail eCommerce sites is fraudulent. Unfortunately, law enforcement agencies found it difficult to handle this innovative type of crime. First, because there was a shortage of investigators skilled in this type of technology, and secondly because as the internet grew in sophistication, so did the cybercrime. Luckily, payment card industry leaders’ credit card brands such as Visa, American Express, Discover, MasterCard, and JCB came together and created a comprehensive standard for all merchants in the payment cycle. This is how PCI compliance came about; the intention is to slow down the proliferation of cybercrime.
Becoming compliant with PCI DSS
The first step to becoming PCI compliant is analyzing where you stand, and this is because security risks differ from business to business. This is measured based on how you handle data, customer transactions, and what banks and credit card companies you work with and this will dictate which level of compliance you need to adhere to.
A quick look at MasterCard’s and Visa’s recommendations will help you understand where you fall. The next step is to fill out an SAQ (Self-Assessment Questionnaire). This is a document containing questions that help you measure your current compliance level. Although there are nine different versions of the assessment guidebook, you’ll only need to fill the book that applies to your business. Nothing complicated here, for every requirement, there are only three options here “yes,” “no,” or “N/A” so you’ll tick the appropriate. The ultimate goal of this guidebook is to help you identify the missing pieces of your eCommerce payment data security. After taking the test, most eCommerce businesses will find that they fall short of at least one criterion.
How these social media trends impact eCommerce in Southeast Asia
After identifying the gaps, the next step should be to fix all vulnerabilities identified. On the way to do this is to eliminate the storage of sensitive data in your local servers as much as you possibly can. You can consider data tokenization. This is a service offered by providers who specialize in securing customers sensitive credit card data in a secure, web-based portal. In essence, tokenization helps to reduce merchants PCI scope and expense. After sealing all the loopholes, you’re expected to fill a formal attestation of compliance (AOC). This is a claim that your business is entirely PCI compliant. There are more technicalities to PCI compliance that may become a little confusing, and if you’re not an expert in payment processing, it all may seem daunting. But that’s why PCI has a list of qualified security assessor that can walk you through the process.
If your commerce business accepts credit card payments, it’s critical to comply with Payment Card Industry Data Security Standard (PCI DSS). Otherwise, your Credit card data can be used by internet fraudsters for their gain at the expense of your business partners, consumers, and card issuers. And the sad thing is that if your company’s data is breached, you could be held liable for not complying with PCI.
This post was sponsored by Reciprocity Labs