Credit and debit card payments are convenient options for businesses and consumers. Still, there is a perpetual underlying fear of information and identity theft for both parties. Recent payment security breaches, including those at Target, Walmart, Home Depot and JPMorgan Chase, have reduced consumer confidence. Therefore, it is important for e-commerce vendors to make payment security a top priority. The best way to guard your customer's payment information is to make sure your business or your payment processor are PCI DSS-compliant.
What is PCI DSS?
PCI DSS stands for Payment Card Industry Data Security Standard. It is a set of requirements established by major card providers to make sure businesses keep payment information secure. PCI DSS protects point-of-sale systems, online shopping carts, wireless access routers and more, according to the PCI Security Standards Council.
There are various security requirements depending on how much business your company processes. Overall, the PCI SSC suggested companies should begin by assessing their current payment processing systems, then fix vulnerabilities and discard any unnecessary customer data. Finally, they must take new steps to make sure their future payment methods are secure.
The PCI SSC warns that by not maintaining compliance, companies increase the risk of payment fraud. Should a data breach occur, they'll have to issue refunds to consumers. Those shoppers will then take their business elsewhere, leading to lower sales. Ultimately, between fines, potential legal fees and terminated positions, a company could go out of business.
The history of PCI
According to SearchSecurity, PCI DSS began in the late 1990s. Credit card fraud was rampant during the time between 1988 and '99 – MasterCard and Visa reported losing $750 million. This number, unfortunately, was about to increase as online shopping gained hold of the economy and e-commerce merchants became more prevalent. As the Internet was still new to consumers and businesses, security wasn't yet a widespread concern. Thus, technologically savvy fraudsters had easy access to payment data.
Visa recognized the need for better online safety and approved the Cardholder Information Security Program in October 1999. This made it the first card brand to develop security standards for online payments. By 2000, fraud had cost online merchants $1.5 billion, and other companies saw the need to prioritize security. This proved difficult as there was no single standard among brands. Even Visa's own domestic guidelines clashed with its international rules.
The initial version of PCI DSS debuted Dec. 15, 2004. It was the first single security standard supported by all five major credit card companies. By June 2005, any business processing 20,000 or more card transactions per year was required to comply to PCI standards. Then, in September 2006, American Express, Discover, JCB International, MasterCard and Visa collaborated to form the Payment Card Industry Security Standards Council. This council acted as an independent organization to manage and improve payment processing security as the industry evolved.
As the years passed, PCI DSS went through several evolutions and updates. The SSC debuted the Payment Application Data Security Standard in early 2008. This standard provided guidelines similar to PCI for mobile applications, ensuring developers did not store payment data like PINs and CVV2 numbers. The SSC continued to release new payment specifications as the Internet evolved, tacking Web applications, wireless security and tokenization. PCI DSS 3.0, its most current form, debuted November 2013.
What are PCI certification levels?
In August 2012, Visa reported a compliance rate of 97 percent among its Level 1 merchants, SearchSecurity said. Level 1 is the highest tier – such vendors process over 6 million Visa and MasterCard transactions each year. These companies are subject to the strictest regulations and must have yearly reviews. Level 2 companies process 1 to 6 million annual card transactions, while those at Level 3 process 20,000 to 1 million. Businesses at the lowest tier, Level 4, receive fewer than 20,000 card payments. Vendors at Levels 2 through 4 must have security scans each quarter and complete a self assessment questionnaire, according to Online Tech.
Should my business be PCI-compliant?
According to PCI Compliance Guide, any organization dealing with credit or debit card transactions must be PCI compliant. There is no longer a minimum number of transactions required. Businesses that are not compliant may be fined $5,000 to $100,000 per month by banks, card companies or other institutions.
Finding a compliant payment processor is one of the best ways e-commerce merchants can reduce the risk of a data breach, the guide said. This way, no payment data is processed, stored or transmitted through your systems.
Following PCI guidelines goes a long way to securing payment data. Doing so assures customers and vendors that financial information is protected to the highest standard against identity theft and fraudulent purchases. E-commerce vendors looking for third-party payment solutions should make sure their providers adhere to PCI DSS.
Brought to you by PacNet Services, your one-stop global payment processing solution.