The Green Sheet Online Edition
September 11, 2017 • Issue 17:09:01
Helping merchants with PCI compliance
Those of us working in the payments industry know card data security matters to every business that accepts payments. For ecommerce and brick-and-mortar merchants alike, understanding and managing the scope and substance of compliance rules can pull resources away from critical business needs. Thus, many choose to outsource some responsibilities related to ongoing data security.
However, whether or not they rely on security professionals or handle data security in-house, all merchants must have a basic understanding of the Payment Card Industry (PCI) Data Security Standard (DSS). This article provides a refresher to aid in merchant education.
What is PCI DSS?
The PCI Security Standards Council is the worldwide payments industry organization that manages the PCI DSS. Founded by Mastercard, Visa, American Express Co., Discover Financial Services and JCB International Credit Card Co. Ltd., the council sets the rules for card-data security. The standard covers PIN transaction security, payment applications, network security, anti-virus practices, software and operating system updates, internal security, system monitoring and testing, and other items related to keeping card data safe.
All merchants and other organizations that accept, transmit or store card data are required to comply with the PCI DSS, which is revised regularly as security threats evolve. For example, there is a June 2018 deadline for organizations to move from secure sockets layer (SSL) and early transport layer security (TLS) protocols to TLS 1.1 or higher to reduce the risk of data breaches.
Because the threat landscape is always changing, PCI DSS compliance is not a one-time project but an ongoing process. And because any loss of card data raises the fraud risk for all merchants, a merchant that accepts even one card payment must be PCI DSS-compliant to avoid liability in case of a breach.
What must merchants do?
Compliance begins with a PCI self-assessment questionnaire or by hiring a qualified security assessor to find vulnerabilities and develop a plan to fix them. That's just the start, though. In addition to global PCI data, device and network security standards, each card brand crafts its own compliance standards within the PCI DSS framework. That means merchants who accept multiple card brands may have to contend with several similar but not identical compliance rule sets. Obviously, this is a major undertaking.
The scope and complexity of the rules is why many merchants choose to outsource as much of their PCI compliance as possible. Merchants who choose a payment gateway, payment processing service, and fraud-detection service that are PCI DSS compliant have fewer compliance tasks to manage in-house – although they must still meet PCI specifications for network security, employee security, protection for incoming card data and other requirements.
Why comply with PCI DSS?
In the face of such complex requirements, some small business owners may wonder if PCI DSS compliance is worth the effort. They need to be reminded that PCI DSS compliance helps protect merchants and businesses that handle card data from the consequences of data breaches, like fraud losses, loss of customers and sales due to eroded trust, fines and penalties from banks and card brands, and the cost of lawsuits and judgments. Card brands and merchant banks may stop doing business with merchants who are noncompliant, so in the worst-case scenario, the consequence for noncompliance is business failure.
Even less severe consequences are costly. While breaches at major retailers make headlines, small businesses are often hit harder than larger ones because of their comparatively low cash reserves and less robust security resources. Small businesses that suffer data breaches lose an average of $20,752 as a result – and small businesses are disproportionately the targets of criminals, because they know they're usually easier to crack than major retailers. Given a choice between costly business risks and ongoing compliance efforts, compliance is by far the best choice.
What to consider when outsourcing?
The PCI DSS provides payment protection resources for small merchants, including a guide to common payment systems used by small and midsize businesses, lists of validated payment applications, and lists of compliant payment-service and software providers. These providers can include payment processors and gateway services, payment application vendors, fraud-protection services, and e-commerce web hosting services.
Outsourcing portions of PCI DSS compliance to payment and fraud-screening vendors can help prevent data breaches and protect customer data, while also freeing up business owners and managers to address such issues as password management and physical data security, as well as focus on their core business goals.
Merchants evaluating their options should keep in mind that any vendor that handles card data on behalf of a business should be able to answer questions about its data capture and transmission security services, guarantee ongoing PCI DSS compliance, and provide ongoing maintenance plus proof of PCI DSS compliance at least once a year.
Rafael Lourenco is the Executive Vice President at ClearSale, a card-not-present fraud prevention operation that protects e-commerce merchants against chargebacks. ClearSale is the only solution of its kind that does not auto-decline; its manual review process ensures that suspect transactions are never denied outright, which provides the highest approval rates industry-wide and virtually eliminates false positives. Please follow the company on Twitter at @ClearSaleUS or visit https://clear.sale/.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.