PCI Compliance for eCommerce: the gold standard of card security

Setting up an eCommerce platform is an exciting time, especially right now when the industry is booming. But part of the setup process is making sure you’ve taken steps to secure your platform, your future customers, and yourself from any data security issues. Trust is an important part of the relationship you will build with your clients and with so much competition in the eCommerce sector, you cannot afford to slip up.

Recent statistics suggest that as many as 4.1 billion records were breached globally in the first half of 2019.

Riskbasedsecurity.com: 2019 midyear data breach report
card security for Ecommerce websites

Big multinationals, SMEs, banks, card companies, voting databases, and social media platforms- no one is immune from breaches. The results of these breaches can be catastrophic; damaged reputation, millions of dollars worth of damage, and of course, clients’ data being used for nefarious purposes.

That’s where Payment Card Industry Security Standards (PCI DSS) comes in. A comprehensive framework aims to create a minimum standard that will improve the security of customer data and trust in the overall payments system. While ensuring compliance isn’t mandated by law, it is advised.

As our world becomes more digitized, criminals become more tech-savvy in response. It’s estimated that this year we can expect to see a cyber attack incident as often as every 11 seconds– this is twice as much as in 2019, and four times that of 2016.

So what is PCI compliance and how can you go about ensuring it for your eCommerce company?

bullet An introduction to PCI compliance

PCI compliance should be considered and implemented by every company that processes card payments, regardless of size, business type, or location. While it isn’t a legal requirement, the consequences of not taking care of customer data can be grave. Being PCI compliant protects businesses and customers and for this reason, it’s highly recommended.

Fast Offshore

In 2006, the world’s leading payment card providers including Visa, American Express, MasterCard, JCB, and Discover, came together to create the Payment Card Industry Security Standards Council (PCI SSC). Their goal was to create and administer a set of standards that would be implemented by companies processing credit card data.

Before the creation of this joint council, each card provider had its own set of standards which bore several striking similarities. Upon realizing they all had the same goal and were spending time on developing similar requirements, they thought it best to join forces and to work together for a more standardized system. The new standards created more than 300 different security controls spanning almost 2,000 pages. There are some 350 pages dedicated just to know which forms to fill out when it comes to compliance.

bullet What are the 12 requirements of PCI DSS compliance?

bullet Use and maintain firewalls

These are prevention systems that help to stop unwanted entities from accessing data within. Firewalls are an essential first line of defence against nefarious actors as they almost eliminated unwanted access.

bullet Keep software updated

Having good firewalls and anti-virus software isn’t enough, you need to keep them up to date and patched regularly

bullet Protect customer data

Customer card data needs to be properly protected and ideally encrypted. This can be done through encryption keys as well as being sure that all data is encrypted at all times.

bullet Get a good antivirus

You need to ensure you have good anti-virus software installed on all of your systems. This should be the case for any system, software, and hardware that interacts with client data. You must also ensure it is kept up to date.

bullet Ensure password protection

Any third-party products such as point of sale systems, modems, and routers should be adequately protected with a secure password. Businesses should implement proper security measures to ensure they are less vulnerable to hackers.

bullet Keep data access restricted

Customer card data should be restricted to those who ‘need to know’. In other words, anyone that doesn’t need access to the information to undertake their job, should not have access to it.

bullet Unique access IDs

Those who are allowed access to cardholder data should have a unique username and electronic identifier. This way, if data is compromised you can see who accessed it last and help quickly determine what went wrong.

bullet Restrict physical access

When it comes to servers that hold cardholder data, you need to ensure that access is restricted. Likewise, any data that is typed or even written must also be secured. Any access to the data must be logged.

bullet Create and maintain logs

You need to keep thorough and up-to-date logs of how data is obtained, how it’s stored, and most importantly who is accessing it, when, and why. This is one of the most important parts of the compliance process.

bullet Encryption of transmitted data

But it’s not just data you hold that should be encrypted. You need to ensure that when you send customer data such as card information, it is also encrypted to the same high standard.

bullet Check for vulnerabilities

You should always be on the lookout for vulnerabilities in your systems. Many things can go wrong and you need to ensure you find any loopholes before they are exploited.

bullet Document your policies

Remember, absolutely everything needs to be documented. You need a paper trail for every bit of data and every action that happens to that data, should something go wrong.

bullet So what is the benefit of PCI DSS compliance?

For something that isn’t a legal requirement, PCI DSS sure does seem like a lot of work. You might be thinking ‘why bother with this as well?’. There are some benefits to PCI compliance for businesses of every size.

PCI Compliance check

1 Greater trust levels

Firstly, PCI compliance means that you have taken significant steps to be sure that your systems are secure. In turn, this means your customers can be comfortable trusting you with their card information and greater trust levels lead to more happy, loyal customers.

Not only will this lead to a good reputation amongst customers and on review sites, but it will boost it with third-party service providers as well. If you can boast you are PCI compliant, you will find a range of partners will be happier to work with you, or provide you with their services, if you can show you are trustworthy and take security seriously.

2 No reputation damage due to data breaches

 If you were to experience a data breach, the consequences could be catastrophic; payment card issuer fines, loss of sale, relationship breakdown, lawsuits, cancelled accounts, and irreparable damage to your reputation. You may also find yourself being probed by government authorities and barred from working in certain industries in the future.

3 Security threats constantly evolve

Additionally, security threats are always evolving. Through PCI compliance processes, you are constantly updating and evaluating your systems. This not only decreases the chance of your customer data being breached, but you’re contributing to the global fight against cybercrime.

PCI sets a good foundation for other regulatory requirements that you may be subjected to now or in the future. It also contributes to your corporate security strategy and can significantly improve the efficiency of your IT infrastructure.

bullet How do I go about getting compliant?

Congratulations, you’ve decided to get PCI compliant, that was a smart decision! The next decision is to whether do it yourself or passing on the burden of risk to an acquirer or gateway. 

bullet Doing it yourself

If you choose to do it yourself, there are several tasks to undertake, the first of which is analyzing your compliance level. Up to 80% of companies failed their first PCI check, meaning that this first task is pretty important. Your starting point is to get a solid overview of what standards you need to adhere to and where you are already.

You then need to fill out a self-assessment questionnaire to help you identify issues and gaps in your current system. At this point, you need to make changes based on the issues identified in the first two steps. Once you’re done, you can take the questionnaire again!

Once you have made any necessary changes, you fill out and sign a formal attestation of compliance. Then, a security assessor will review your systems for validation. Hopefully, they will not find any discrepancies and at this point, you can present the findings to credit card companies/payment providers.

bullet Passing on the burden of risk

If you are an eCommerce startup, this may seem a little daunting especially if you aren’t familiar with payment processing. In all cases, it’s a smart move to enlist the help of a professional service provider such as Fast Offshore to guide you through the process, assist you with your merchant negotiations and ensure you carry as little risk as possible. This will make the process of attaining PCI compliance much smoother than if you were to struggle through it on your own!

Contact Us

Follow us on Social Media!

On 17/02/2021   /   compliance