If you engage in e-commerce at any level, you’ve likely heard the term “PCI-compliant.” All major credit card companies require compliance and many payment gateways specify their compliance as a selling point.
But what is this standard and what steps do you need to take to meet it?
What Is PCI?
PCI is short for PCI DSS, which stands for Payment Card Industry Data Security Standard. These are standards that define the minimum acceptable level of security that must be put in place to protect cardholders from hackers. Although PCI is not a federal law, it is enforced by the credit card companies and the merchant service providers through fines for non-compliance.
What Are the PCI DSS Requirement?
Although each card brand has its own sub-requirements, all credit card companies require the following:
- Merchants must install and maintain a network firewall.
- They must change all system passwords from their default settings.
- They must protect all stored cardholder data.
- They must encrypt all data that they transmit across a public network (i.e. the internet)
- They must use and regularly update anti-virus software
- They must develop and maintain secure systems and applications
- They must restrict access to cardholder data to those who need this information for legitimate business purposes.
- They must assign each computer user a unique ID for easy identification
- They must restrict physical access to records
- They must monitor and track all network and cardholder data access
- They must regularly test the security of their systems and processes
- They must maintain an information security policy.
Are All Businesses Treated The Same?
No. A small home-based e-commerce businesses are not treated exactly the same as a multi-million dollar enterprise. Merchants are divided into levels based on annual number of transactions and each level is subject to varying degrees of validation. One card brand categorizes any business that processes fewer than 20,000 Visa e-commerce transactions as a Level 4 Merchant and requires fewer validation documents and processes than it does for a Level 1 Merchant.
What Do I Have To Do?
In addition to making sure all of the 12 requirements are met (and any sub-requirements specific to the card brand), all businesses have to prove that their systems meet PCI specifications, provide periodic documentation, undergo audits, and perform network scans. The exact requirements are set by the card brand and the merchant bank. However, quarterly network scans and merchant-dictated compliance validations are standard, along with a recommended annual self-assessment questionnaire (SAQ).
Penalties for Non-Compliance
Although rare, some e-commerce businesses, through neglect or intent, ignore PCI requirements and leave cardholder data vulnerable to hackers and identity thieves. Although compliance is not a federal law, the major payment brands may fine an acquiring bank (your merchant service provider) $5,000 to $10,000 per month for each compliance violation, which the providers may pass along to you at their discretion. You may also be required to pay for card replacement costs, forensic audits, and brand damage, in addition to the costs associated with the time needed to report all data breeches to the proper authorities according to any applicable state laws.
As you can see, PCI compliance is a vital issue requiring thorough thought and preparation. However at E-Commerce 4 IM, we help make the burden a little easier through offering PCI Compliant gateways with our merchant accounts. If you are not sure whether your current gateway is compliant, you are looking for a merchant account that ensures this feature, or you simply have questions about e-commerce:
Give us a call at (800) 570-1347.
Even if you just need help with PCI Compliance, feel free to contact us!