The increasing use of paying with plastic in person and the increase in online credit and debit sales is all about convenience for the consumer. However, one of the greatest worries in making these types of purchases is putting your personal information out into the world where it may be at risk. There seem to be constant headlines about payment card information (think your name, address, credit card number, etc.) breaches and identity theft.
You run a small online store, so what steps are reasonable for you to do to protect your customer’s information? Even further, what steps are you REQUIRED to do to comply with industry standards?
The Council and PCI Compliance
The Payment Card Industry (PCI) Security Standards Council was founded by five global payment brands: American Express, Discover, JCB International, MasterCard, and Visa. The Council is the organizing body in charge of PCI DSS (Payment Card Industry Data Security Standards). They create the standards, amend the standards, provide support to merchants regarding compliance, educate merchants regarding the standards, etc. The Council is open to all stakeholders to become members and thus play a role in any future changes to the standards.
PCI DSS are meant to ensure that all merchants who process, store, or transmit credit/debit card information maintain proper security protocols in order to protect the consumer’s personal information. As the standards are not law themselves, merchants may or may not be required to follow them. This will largely be determined by any contractual obligations you might have with your payment processor. Whether you are required to or not, some steps should be taken to protect your customer’s information.
Who has to be in PCI DSS Compliance?
Generally, all merchants that handle credit card or debit card information in any way are likely required to adhere to the PCI DSS. This includes taking credit or debit information in person, over the phone, and online.
Depending on your aggregate number of transactions in a 12-month period, your business will be given a tier classification. This classification will tell the merchant which set of standards they will have to follow to be in compliance. The larger the merchant the more standards they will be required to meet in order to be considered compliant.
If you are required to comply with the PCI DSS standards and fail to do so, you may be subject to an array of disciplinary actions. Some examples include fines, being moved to a higher compliance tier, or even loss of the ability to accept credit and debit cards. The individual payment brand, not the Council, handles enforcement of non-compliance measures.
What do you have to do to be in Compliance?
Most small businesses have to follow these steps in order to be in compliance:
- Determine which of the PCI Security Standards Council’s Self-Assessment Questionnaire (SAQ) applies to your business.
- Complete the SAQ (validation.)
- Complete a vulnerability scan with an approved scanning vendor (ASV.)
- Obtain evidence of a “passed” scan.
- Complete the Attestation of Compliance.
- Submit the SAQ, evidence of passed scan, and Attestation of Compliance to the acquirer (the entity that processes the transaction, such as your bank.)
Generally, in order to remain in compliance, you must submit quarterly scans and conduct annual validation (SAQ.)
Should You Comply?
The PCI DSS standards are not law, so why should you spend the time and money to be in compliance?
First off, you may be legally required to do so if you have signed a contract with your payment processor that requires PCI DSS compliance. Even if you are not legally required to be PCI DSS compliant, the safeguarding of your customers’ information is of vital importance to your business. If you lose the trust of your customers in protecting their information, then you will lose sales.
It is especially important for small merchants to take the safeguarding of payment card information seriously as small merchants are being targeted at an alarming rate. More than 80% of attacks searching for credit/debit information are directed at small merchants. Not only are small businesses targeted more, but the effects of a breach are much worse on a small business. For example, the effect on a small business could be closing the business versus a large corporation paying for credit monitoring for affected customers.
Whether you are legally required to be PCI compliant, choose to be compliant, or neither, you need to make sure you are taking steps to guard payment card information!
Third-Party Handling of PCI Compliance
If you are far from tech savvy or simply don’t have the time to deal with it, there are ways to have a third party handle your compliance. For example, there are methods of selling online that allow another company to deal with the credit and debit card information entirely. Thus, all PCI is handled only by their company and not by you. PayPal is one such platform. There are also companies that provide PCI DSS compliance services. Often these companies also provide online checkout/cart products.
Remember, that in general even if you are using one of these third-party methods, you will still likely be at fault if non-compliance is discovered.
The Actual PCI DSS Standards
If you are interested in learning more about what the standards are exactly, check out the official PCI DSS standards here.