Setting up an eCommerce platform is an exciting time, especially right now when the industry is booming. But part of the setup process is making sure you’ve taken steps to secure your platform, your future customers, and yourself from any data security issues. Trust is an important part of the relationship you will build with your clients and with so much competition in the eCommerce sector, you cannot afford to slip up.
Recent statistics suggest that as many as 4.1 billion records were breached globally in the first half of 2019.Riskbasedsecurity.com: 2019 midyear data breach report
Big multinationals, SMEs, banks, card companies, voting databases, and social media platforms- no one is immune from breaches. The results of these breaches can be catastrophic; damaged reputation, millions of dollars worth of damage, and of course, clients’ data being used for nefarious purposes.
That’s where Payment Card Industry Security Standards (PCI DSS) comes in. A comprehensive framework aims to create a minimum standard that will improve the security of customer data and trust in the overall payments system. While ensuring compliance isn’t mandated by law, it is advised.
As our world becomes more digitized, criminals become more tech-savvy in response. It’s estimated that this year we can expect to see a cyber attack incident as often as every 11 seconds– this is twice as much as in 2019, and four times that of 2016.
So what is PCI compliance and how can you go about ensuring it for your eCommerce company?
An introduction to PCI compliance
PCI compliance should be considered and implemented by every company that processes card payments, regardless of size, business type, or location. While it isn’t a legal requirement, the consequences of not taking care of customer data can be grave. Being PCI compliant protects businesses and customers and for this reason, it’s highly recommended.Fast Offshore
In 2006, the world’s leading payment card providers including Visa, American Express, MasterCard, JCB, and Discover, came together to create the Payment Card Industry Security Standards Council (PCI SSC). Their goal was to create and administer a set of standards that would be implemented by companies processing credit card data.
Before the creation of this joint council, each card provider had its own set of standards which bore several striking similarities. Upon realizing they all had the same goal and were spending time on developing similar requirements, they thought it best to join forces and to work together for a more standardized system. The new standards created more than 300 different security controls spanning almost 2,000 pages. There are some 350 pages dedicated just to know which forms to fill out when it comes to compliance.
What are the 12 requirements of PCI DSS compliance?
Use and maintain firewalls
These are prevention systems that help to stop unwanted entities from accessing data within. Firewalls are an essential first line of defence against nefarious actors as they almost eliminated unwanted access.
Keep software updated
Having good firewalls and anti-virus software isn’t enough, you need to keep them up to date and patched regularly.
Protect customer data
Customer card data needs to be properly protected and ideally encrypted. This can be done through encryption keys as well as being sure that all data is encrypted at all times.
Get a good antivirus
You need to ensure you have good anti-virus software installed on all of your systems. This should be the case for any system, software, and hardware that interacts with client data. You must also ensure it is kept up to date.
Ensure password protection
Any third-party products such as point of sale systems, modems, and routers should be adequately protected with a secure password. Businesses should implement proper security measures to ensure they are less vulnerable to hackers.
Keep data access restricted
Customer card data should be restricted to those who ‘need to know’. In other words, anyone that doesn’t need access to the information to undertake their job, should not have access to it.
Unique access IDs
Those who are allowed access to cardholder data should have a unique username and electronic identifier. This way, if data is compromised you can see who accessed it last and help quickly determine what went wrong.
Restrict physical access
When it comes to servers that hold cardholder data, you need to ensure that access is restricted. Likewise, any data that is typed or even written must also be secured. Any access to the data must be logged.
Create and maintain logs
You need to keep thorough and up-to-date logs of how data is obtained, how it’s stored, and most importantly who is accessing it, when, and why. This is one of the most important parts of the compliance process.
Encryption of transmitted data
But it’s not just data you hold that should be encrypted. You need to ensure that when you send customer data such as card information, it is also encrypted to the same high standard.
Check for vulnerabilities
You should always be on the lookout for vulnerabilities in your systems. Many things can go wrong and you need to ensure you find any loopholes before they are exploited.
Document your policies
Remember, absolutely everything needs to be documented. You need a paper trail for every bit of data and every action that happens to that data, should something go wrong.
So what is the benefit of PCI DSS compliance?
For something that isn’t a legal requirement, PCI DSS sure does seem like a lot of work. You might be thinking ‘why bother with this as well?’. There are some benefits to PCI compliance for businesses of every size.
Greater trust levels
Firstly, PCI compliance means that you have taken significant steps to be sure that your systems are secure. In turn, this means your customers can be comfortable trusting you with their card information and greater trust levels lead to more happy, loyal customers.
Not only will this lead to a good reputation amongst customers and on review sites, but it will boost it with third-party service providers as well. If you can boast you are PCI compliant, you will find a range of partners will be happier to work with you, or provide you with their services, if you can show you are trustworthy and take security seriously.
No reputation damage due to data breaches
If you were to experience a data breach, the consequences could be catastrophic; payment card issuer fines, loss of sale, relationship breakdown, lawsuits, cancelled accounts, and irreparable damage to your reputation. You may also find yourself being probed by government authorities and barred from working in certain industries in the future.
Security threats constantly evolve
Additionally, security threats are always evolving. Through PCI compliance processes, you are constantly updating and evaluating your systems. This not only decreases the chance of your customer data being breached, but you’re contributing to the global fight against cybercrime.
PCI sets a good foundation for other regulatory requirements that you may be subjected to now or in the future. It also contributes to your corporate security strategy and can significantly improve the efficiency of your IT infrastructure.
How do I go about getting compliant?
Congratulations, you’ve decided to get PCI compliant, that was a smart decision! The next decision is to whether do it yourself or passing on the burden of risk to an acquirer or gateway.
Doing it yourself
If you choose to do it yourself, there are several tasks to undertake, the first of which is analyzing your compliance level. Up to 80% of companies failed their first PCI check, meaning that this first task is pretty important. Your starting point is to get a solid overview of what standards you need to adhere to and where you are already.
You then need to fill out a self-assessment questionnaire to help you identify issues and gaps in your current system. At this point, you need to make changes based on the issues identified in the first two steps. Once you’re done, you can take the questionnaire again!
Once you have made any necessary changes, you fill out and sign a formal attestation of compliance. Then, a security assessor will review your systems for validation. Hopefully, they will not find any discrepancies and at this point, you can present the findings to credit card companies/payment providers.
Passing on the burden of risk
If you are an eCommerce startup, this may seem a little daunting especially if you aren’t familiar with payment processing. In all cases, it’s a smart move to enlist the help of a professional service provider such as Fast Offshore to guide you through the process, assist you with your merchant negotiations and ensure you carry as little risk as possible. This will make the process of attaining PCI compliance much smoother than if you were to struggle through it on your own!
Follow us on Social Media!