The immense growth in ecommerce over the last two decades has demonstrated just how much people like the ease and convenience of shopping and buying online. Ecommerce has given people almost limitless options and the scale at which people are embracing online shopping continues to grow substantially every year.
But with more transactions happening online, there is also a greater risk of consumers’ financial information being compromised. These data breaches can be immensely costly for ecommerce businesses with the consequences ranging from fines to chargebacks to lawsuits to higher insurance premiums. In addition to these costs when fraud does happen, 17% of online shoppers surveyed said they didn’t complete a purchase because of security concerns, which is a huge missed opportunity for online merchants.
With such significant costs, it’s little wonder why the payments industry has developed and mandated strict security standards. While some call PCI compliance standards overly-onerous, they have become required for merchants who want to accept payments online. They not only protect consumers from fraud, they also protect the companies who have to pay for the fraud.
The High Costs When You’re Not PCI Compliant
Non-compliance by merchants can lead to fines ranging from $5,000 to $500,000 and cancellation of a company’s ability to process payments. Along with fines, companies can also face substantial lawsuits and insurance claims from customers and other businesses.
Target is a good example of just how costly security breaches can be. A massive breach of their customers’ credit card and other information in 2013 has resulted in over $162 million in costs (and counting), a 46% drop in net profits and 11% drop in stock value. That is not even counting anything they will have to pay from lawsuits. Unfortunately, it only takes one incident to damage your reputation and compromise your ability to conduct business in the future and Target is still recovering from this breach.
12 Principals of Data Security
The PCI compliance standards are complex and continuously changing. It’s important to note that compliance is an on-going process and safeguards need to be continually assessed and tested for risks and vulnerabilities to your network.
The payment card industry data security standard (PCI DSS) contains 12 principles that companies must abide by:
- Install and maintain a firewall to protect cardholder data
- Don’t use vendor-supplied passwords
- Protect cardholder data
- Encrypt cardholder data that is transmitted across public networks
- Ensure that systems are protected against malware and viruses
- Maintain secure systems and applications
- Restrict those who can access cardholder data
- Authenticate those who access system components
- Restrict physical access to data
- Monitor access to network resources
- Test security systems and processes
- Maintain a policy that addresses information security
The Process to Be PCI Compliant
Becoming PCI compliant is a 3-step on-going process. First, companies must assess their assets and processes for handling payment card information and analyze them for vulnerabilities. Next, companies need to remediate and fix any vulnerabilities found. A major component of this is not storing cardholder data unless you need it. The last step is to compile, report and submit the remediation records and compliance reports to the acquiring bank and card brands you do business with.
All merchants fall into one of four levels based on their transaction volume over the past 12 months.
Requirement Action Level Less than 20,000 online transactions per year Self-assess & Annual Network Scans 4 Between 20,000 to 1 million online transactions per year Self-assess & Quarterly Network Scans 3 Between 1 million and 6 million online transactions per year Self-assess & Quarterly Network Scans 2 Over 6 million online transactions per year Hire independent assessor — Quality Security Assessor 1
Once you have determined your merchant level, your company must do the proper assessments and then submit proof of compliance with the attestation of compliance (AOC) questionnaire. To verify PCI Compliance, the PCI DSS uses your AOC and network scans.
Staying PCI Compliant
It’s imperative that companies meet PCI standards to protect themselves and their customers from security breaches. More than 70% of PCI compliant companies reported they felt substantially more secure than if they were not compliant and 67% of companies are actually planning to increase spending on PCI compliance in the near future.
As ecommerce continues to grow, PCI compliance is more important than ever to protect relationships, reputation and revenue. While adapting to the changing standards can be challenging, it is well worth the effort.