Online merchants encounter various cybersecurity threats, including card fraud, identity theft, and formjacking. This guide on PCI compliance for merchants teaches you how to combat these threats.
According to Statistica, merchants and card acquirers lost more than $30 billion to debit and credit card fraud between 2020 and 2021.
Businesses that experience data breaches and other cyber attacks also suffer irreversible damage to their images, which manifests in a rapid loss of sales.
PCI compliance stands out as one of the more effective strategies for fortifying your systems and mitigating vulnerability to card fraud and other cybersecurity threats. This is particularly crucial given the evolving tactics of cybercriminals.
This article highlights the importance of PCI compliance for merchants and lays out the best practices for achieving it.
What is PCI compliance?
PCI compliance refers to data security standards that all merchants, banks, and third-party PSPs (payment service providers) must adhere to when accepting, processing, transmitting, and storing customers' credit and debit card data.
PCI compliance consolidates 12 data security standards into what is collectively known as PCI DSS (Payment Card Industry Data Security Standard). PCI DSS is the gold standard for measuring data security in electronic payments.
The PCI DSS outlines the technical and operational standards every organisation that handles payment cards must observe to secure and protect cardholders' data when processing payments.
The PCI Security Standards Council manages PCI compliance worldwide, while enforcement falls on card networks and other PSPs. The council is an independent body established in 2006 by the major card networks to standardise payment data security management.
Why do merchants need PCI compliance?
PCI compliance enhances payment security throughout the electronic transaction process. It reduces your business's vulnerability to attacks when processing cards for payment. These attacks come in these three ways:
- Payment card fraud. Thieves use stolen debit or credit cards or their information to make unauthorised purchases.
- Payment card hijacking. Attackers intercept payment data transmission between merchants and payment processors and redirect your customers to a fake shopping cart.
- Identity theft. Occurs when attackers steal payment card information and pretend to be the card owner to make purchases.
These attacks cost merchants and consumers billions of dollars every year. Complying with PCI DSS guidelines will make it harder for cyber criminals to steal payment data and hijack shopping carts.
PCI compliance confers security and trust. The PCI DSS seal on your website reassures customers that their sensitive financial account information will not be stolen when they use their credit and debit cards to make payments.
Below are 12 the requirements for PCI compliance:
- Install and maintain a firewall to test network connections for impenetrability and prevent access from untrusted networks.
- Change vendor-supplied passwords and update settings to remove unnecessary functionality.
- Protect the data you collect from customers, setting policies for its safe disposal and limiting the type of data you collect.
- Encrypt cardholder data when transmitting it through public networks and set policies against soliciting cardholder data through email, text messaging, live chat and other end-user messaging channels.
- Use anti-virus software, updating and testing it regularly to ensure it works optimally.
- Develop security systems and processes for how you will address vulnerabilities.
- Restrict access to cardholder data to only those who need to know it.
- Assign user IDs to everyone at your company with computer access and ensure they can be authenticated.
- Restrict physical access to cardholder data and employ cameras to monitor sensitive areas and physical equipment.
- Track and monitor access to networks and cardholder data with audit trails, time-stamped tracking tools, and review logs.
- Regularly test systems and processes for vulnerability to access breaches.
- Create, maintain, and disseminate an information security policy that lays out your rules and employees' responsibilities for the technologies you use in your business.
Is PCI compliance mandatory?
PCI compliance is mandatory for any business that stores, processes, and transmits people's credit and debit card data. You are required to renew and validate PCI DSS compliance each year.
Although compliance levels vary by business size - determined by the number of card transactions you process yearly - merchants and PSPs must obtain PCI DSS validation yearly.
PCI DSS compliance is achieved in three steps:
- Assessment - identifying cardholder data, taking an inventory of the IT assets you use to process card data, and analysing them for vulnerabilities.
- Remediation - fixing the vulnerabilities you identified in the assessment stage, prioritising them on their risk level.
- Reporting - submitting a report on your vulnerability assessment and actions to remediate them.
The amount of detail in your report will depend on the level of compliance required for your business size. There are four levels of PCI DSS validation, starting with Level 1 for any business processing over 6 million Visa e-transactions per year and scaling down to Level 4 for businesses processing less than 20,000 Visa e-transactions per year.
PCI compliance levels and rules may differ depending on the card network. But, generally, small businesses are required to complete a Self-Assessment Questionnaire (SAQ). Onsite audits by a Qualified Security Assessor (QSA) or Internal Security Assessor (ISA) are mandated for larger businesses.
What are the consequences for PCI non-compliance?
The most significant consequence of failing to comply with PCI DSS requirements is your heightened vulnerability to cybersecurity attacks.
Non-compliance means your systems are inherently weak and vulnerable to data breaches that can expose your customers' sensitive personal and financial account information to criminals.
A data breach and exposure of customers' data will lead to financial penalties, legal suits, and irreparable damage to your business's image. A damaged business reputation often results in the loss of clients spooked by the apparent vulnerability of your systems.
Beyond the above consequences, the penalties and fines from card networks and the PCI Security Standards Council are just as costly. These include:
- Fines of up to $4 million if your card-taking online property is found to be non-compliant,
- Withdrawal of permission to accept credit and debit cards. Credit card networks can suspend you and block card transactions from your payment portal, e-commerce store, or app. This leads to payment failures on your checkout pages, escalating to a rapid loss of sales.
- Liability fraud charges, meaning you will be liable for losses suffered by customers and PSPs due to card fraud emanating from your website.
- Mandatory forensic audits that come with hefty costs of up to $120,000 for Level 1 merchants.
Can you outsource PCI compliance?
PCI compliance improves customer trust and makes your business more resilient to cybersecurity threats. Yet, achieving PCI DSS certification can be a daunting task, especially for small merchants who may lack the necessary expertise and resources to navigate the process independently.
Although every merchant bears the ultimate responsibility for PCI compliance, there are measures you can take to minimise your scope. One way most online retailers 'outsource' or reduce their scope for PCI compliance is by using a PCI-compliant payment gateway.
Using a third-party gateway effectively means you are outsourcing the task of payment processing to the payment gateway, meaning you do not directly process, store, or transmit customers' credit card data when they complete checkout.
Payment gateways require full PCI compliance since they handle their merchant clients' customers' payment card data. Their whole business model relies on robust, impenetrable systems.
Some of the tools payment gateways like Intasend use to safeguard your customers' data are:
- 3D Secure authentication adds a one-time password as an extra step of verifying the identity of people attempting to make online payments using debit cards.
- Tokenisation is a technique that replaces your customers' data with a unique set of numbers when customers enter it on your website. Attackers can't interpret tokenised information.
- Card Verification Value (CVV). The payment gateway will ask for the CVV number to authorise payment. Failure to provide the CVV number means the payer is not in possession of the card and is likely not its owner.
- Device identification. This stops transactions made on devices that have previously been flagged for fraudulent activities. Every internet-enabled device and router has an IP address that identifies it.
While completely outsourcing your PCI compliance responsibility through third parties isn't possible, they are better equipped to manage it than you are. What's important is to choose the right payment gateway.
Best practices for PCI compliance
Ensuring PCI compliance requires embedding it into your company culture, a challenge even for well-resourced companies.
PCI compliance does not entirely remove the risk of card fraud and cyber attacks on your business. It only reduces it.
Therefore, make it everyone's responsibility to uphold data security and observe and report all vulnerabilities to improve your system's resilience incrementally.
Here are some of the ways to improve PCI compliance:
1. Practise good data hygiene.
Good data hygiene entails protecting sensitive information to prevent its theft and unauthorised use. Best practices for this include:
- Using strong passwords,
- Keeping your software up-to-date,
- Avoiding storage of physical copies of cards and receipts and safely disposing of all unnecessary data.
- Using PCI-compliant software and third-party tools,
- Avoiding clicking suspicious links.
You must also limit access to your computers to only a few people in your business whose activity you can track and monitor.
2. Do not solicit customers' payment data through text or email.
It is illegal to ask customers to share their payment data with you over the phone, mail, or email, just as it is to store that information. Customers should only provide this information in a 3D-secure, encrypted checkout environment.
One way to avoid handling customers' sensitive payment information is using a PCI DSS-compliant payment gateway.
3. Train your employees in data security.
PCI compliance requires everyone in your organisation to know why it's essential, what data is sensitive and needs protection, and the consequences of non-compliance.
To ensure everyone plays their part, you must prioritise employee training. Teach them what PCI compliance entails, what they can do individually to promote data hygiene, and why everyone must take responsibility for protecting customers' data.
Your employees are your first line of defence regarding data security. They must know how their actions impact it. Therefore, you must periodically organise training to improve their data security awareness.
4. Use PCI-compliant payment service providers (PSPs).
Using a non-compliant PSP can undo your efforts at maintaining PCI compliance.
You are responsible for the security of your customers' data. You will be held accountable for any data breach, even if its source is traced back to a third-party PSP you work with.
Simplify PCI compliance with Intasend.
Intasend is a 3D Secure, PCI-compliant PSP that combines payment gateway, recurring billing, subscription management, and digital disbursement services to offer online merchants end-to-end payment and collection services.
Intasend reduces your PCI compliance scope, enabling you to focus on your core business while ensuring the security of your customers' payment data.
Sign up with Intasend to conveniently collect online payments on your e-commerce store, streamline the management of your subscription business, and automate your business payments and disbursements.
