13/07/2016
All you need to know about becoming PCI Compliant
One of the biggest factors in the business world today is trust. It seems that business has come a full circle since the concept of the high street was born. Back in those times we bought from our friends, those who we knew and that we trusted – Mr. Smith the greengrocer and Mr. Black the tailor. As capitalism took hold, we saw an emergence of chain stores and bigger, grander one-stop shops – huge supermarkets where we could buy everything from our weekly shop to school clothes, through to the kitchen sink.
The internet started growing, along with online versions of these great supermarkets, and now – with a big influence from social media, we are beginning to start buying from the smaller specialists again – whom we might not know in person, but have had contact with online and have been recommended to us by friends.
And this is why now is such a great time to start building an e-commerce company. But with great power comes great responsibility and people being able to trust that their personal and financial details are safe in your hands is absolutely vital. In actual fact, home run e-commerce businesses are a big target for hackers thanks to their deemed lack of customer security and protection.
For this reason, it is essential that businesses are PCI compliant.
PCI CompliantPCI or PCI DSS stands for Payment Card Industry (Data Security Standard) and is a set of security requirements which must be adhered to by any business who store, process or transmit from the major branded credit card companies including – MasterCard, Visa, American Express, JCB and Discover. That means any business who takes card payments – be it in person, over the phone or online – including those who use third party processers.
Since the beginning of when cards were being used, each company had their own rules about customer data protection and security, but thankfully in 2004, all of these major credit card companies got together to form these standard guidelines – better for businesses and customers alike!
These guidelines, of course help the card companies as well, as combating offline and online fraud and improving customer security works in their benefit as well. Whilst there has always been a certain degree of risk to card users in the offline world, the risk has been greatly increased since the growth of the internet.
Whilst PCI compliancy isn’t the law across the whole world, it is certainly recommended, often required by the major credit card companies, and you will find that should you have a breach of security – such as that which happened with Target and TalkTalk, you will be liable for all of the money lost, plus damages and probably fines.
Becoming PCI CompliantBecoming PCI compliant isn’t as difficult as it might seem – and of course is priceless in terms of customer protection. The good news is that it changes as your business grows, so your small e-commerce business won't be the same as a large multinational enterprise. It should be noted, however, that there are standard requirements to be met, but they are also given the right to add extra requirements if they see fit.
Compliance consists of satisfying the PCI, major credit card companies and acquirer banks or payment processors, and the good news is that according to Visa's chief Enterprise Risk Officer – Ellen Richey, "no compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach."
To become PCI compliant you can either go it alone or get some help. A lot of this depends on the size of your company, and any previous experience that you have.
Step one – Compliance LevelThe first step in becoming PCI compliant is to ascertain your 'compliance level'. Unfortunately, each credit card company has their own guidelines for merchant compliance, so you will need to check each one separately. Your level is stipulated by the number of transactions carried out by each company, as well as the channels. It should also be noted that if a business has suffered fraud or a hack previously due to a compromise in data, the level may be escalated.
Step two – Self-Assessment Questionnaire (SAQ)The PCI DSS self-assessment questionnaire contains questions set by the PCI. They include questions about data protection, security processes, and individual employee access to data, as well as online security. These questions also come with guidelines so that you can bring your business up to the required level.
There are 9 variations of the SAQ, depending on your individual set-up, and you only need to fill out the questionnaire which responds to that one.
Step three – Attestation of Compliance (AOC)This is where you need to provide evidence to back up the answers that you have given in your SAQ. There are 9 variations of the Attestation of Compliance, so you need to find the one which matches your SAQ.
Some businesses will also be required to complete the 'PCI DSS Designated Entities Supplemental Validation'.
Step four – Document SubmissionYou will then need to submit the two documents (SAQ and AOC) along with your back up documents (such as ASV scan reports) to your acquirer bank and payment brands.
From then on an annual Validation of Compliance is carried out. For small businesses, this will be through a self-assessment form, and for larger ones with great amounts of transactions, an independent, certified Qualified Security Assessor (QSA) will be appointed.
Being PCI compliant, although not being a legal requirement everywhere, is a responsibility for any business that uses cards as payments. A breach in security can be costly not only financially in terms of covering damages and fines, but also in terms of your business's reputation. There are some things that customers will forgive companies for, but breaches of their security and trust isn’t one of them.
By adhering to the PCI DSS regulations, you are protecting your customers and your business now and in the future.
If you have any questions about e-commerce, buying and selling online, building effective websites and other online services, get in touch with Studioworx either via email (
[email protected]), telephone (+44 (0)1603 274285) or the website (https://www.studioworx.co.uk).