PCI Compliance: Keeping Your Ecommerce Business Secure

The immense growth in ecommerce over the last two decades has demonstrated just how much people like the ease and convenience of shopping and buying online. Ecommerce has given people almost limitless options and the scale at which people are embracing online shopping continues to grow substantially every year.

But with more transactions happening online, there is also a greater risk of consumers’ financial information being compromised. These data breaches can be immensely costly for ecommerce businesses with the consequences ranging from fines to chargebacks to lawsuits to higher insurance premiums. In addition to these costs when fraud does happen, 17% of online shoppers surveyed said they didn’t complete a purchase because of security concerns, which is a huge missed opportunity for online merchants.

With such significant costs, it’s little wonder why the payments industry has developed and mandated strict security standards. While some call PCI compliance standards overly-onerous, they have become required for merchants who want to accept payments online. They not only protect consumers from fraud, they also protect the companies who have to pay for the fraud.

The High Costs When You’re Not PCI Compliant

Target is a good example of just how costly security breaches can be. A massive breach of their customers’ credit card and other information in 2013 has resulted in over $162 million in costs (and counting), a 46% drop in net profits and 11% drop in stock value. That is not even counting anything they will have to pay from lawsuits. Unfortunately, it only takes one incident to damage your reputation and compromise your ability to conduct business in the future and Target is still recovering from this breach.

12 Principals of Data Security

The payment card industry data security standard (PCI DSS) contains 12 principles that companies must abide by:

  • Install and maintain a firewall to protect cardholder data
  • Don’t use vendor-supplied passwords
  • Protect cardholder data
  • Encrypt cardholder data that is transmitted across public networks
  • Ensure that systems are protected against malware and viruses
  • Maintain secure systems and applications
  • Restrict those who can access cardholder data
  • Authenticate those who access system components
  • Restrict physical access to data
  • Monitor access to network resources
  • Test security systems and processes
  • Maintain a policy that addresses information security

The Process to Be PCI Compliant

All merchants fall into one of four levels based on their transaction volume over the past 12 months.

Requirement Action Level Less than 20,000 online transactions per year Self-assess & Annual Network Scans 4 Between 20,000 to 1 million online transactions per year Self-assess & Quarterly Network Scans 3 Between 1 million and 6 million online transactions per year Self-assess & Quarterly Network Scans 2 Over 6 million online transactions per year Hire independent assessor — Quality Security Assessor 1

Once you have determined your merchant level, your company must do the proper assessments and then submit proof of compliance with the attestation of compliance (AOC) questionnaire. To verify PCI Compliance, the PCI DSS uses your AOC and network scans.

Staying PCI Compliant

As ecommerce continues to grow, PCI compliance is more important than ever to protect relationships, reputation and revenue. While adapting to the changing standards can be challenging, it is well worth the effort.

Originally published at www.paymotion.com on June 26, 2015.

I’m losing my edge to better-looking people with better ideas and more talent. And they’re actually really, really nice. 🤙