7 Things You Should Know About PCI DSS Compliance in Ecommerce
CRM, SEO, CTA, CRO… The ecommerce industry is awash with acronyms. Some are well known; for others you might need a quick minute or so with Professor Google. One that is absolutely vital to know about in the world of ecommerce is PCI DSS – the Payment Card Industry Data Security Standard. Here are seven key things to know about PCI DSS and how it applies to ecommerce businesses.
1. What is PCI DSS?
PCI DSS is a set of requirements that have been designed to ensure that all companies that process, store or transmit sensitive credit or debit card information maintain a secure environment. PCI DSS was adopted by the Payment Card Industry Council in 2005, and the Payment Card Industry Security Standards Council ─ made up of major payment brands Visa, MasterCard, American Express, JCB International and Discover ─ was founded in 2006 to manage the ongoing evolution of the standard.
2. Why is it Important?
Being compliant with PCI DSS means you are doing your best to keep customers’ valuable and sensitive information secure. This inspires trust in your company and your customers will feel confident about doing business with you as a result. PCI compliance also enhances your reputation with acquirers and payment brands – the partners you need in order to do business.
3. To Whom Does it Apply?
The standard applies to all entities that store, process or transmit cardholder data. Cardholder data is defined as any personally identifiable data associated with a cardholder – for example, account number, expiration date, name, address, national insurance number and so on.
4. What Does PCI DSS Compliance Require?
There are 12 requirements that fall into six categories:
1. Build and maintain a secure network
2. Protect cardholder data
3. Maintain a vulnerability management programme
4. Implement strong access control measures
5. Regularly monitor and test networks
6. Maintain an information security policy
5. How Will PCI Compliance Affect Me?
This depends on whether you take payments on-site or off-site. If you are using a hosted secure payment page provided by a PCI-compliant payment services provider (PSP), then all you need to do is fill in the PCI self-assessment questionnaire (SAQ), which covers topics such as security practices in your company. This is because your ecommerce site never actually ‘sees’ the credit or debit card details – your customer is redirected to the PSP’s hosted payment page to enter their payment information. On the other hand, if you are handling payments on your site, the weight of PCI DSS in all its glory will fall squarely on your shoulders.
6. What Happens if I Don’t Comply?
Non-compliance can be costly. Your acquirer could terminate its relationship with you, preventing you from accepting cards online. You could also be heavily fined. Compromised customer data and the resultant reputational damage can also put a huge dent in business revenues.
7. What Should I Do Now?
You must understand fully how card payments are processed by your business. The most secure option is to outsource your card data to a PSP, which will provide a fully hosted payments solution – taking the sting out of PCI compliance.