All businesses that process credit card transactions are required to abide by PCI compliance requirements. One of the main reasons for PCI compliance is payment hacking. If you own a small e-commerce site, here is some valuable information about PCI compliance, PCI requirements, and how to ensure compliance.
What Is The PCI Standard?
The Payment Card Industry Data Security Standard, also known as PCI DSS, is a security framework to help service providers and merchants protect transactions involving credit and debit cards. This standard applies to enterprises that deal with credit card transactions.
Developed in 1999, the PCI DSS standard was initially established by Visa to address the increase in credit card fraud through the internet. In 2004, Visa, along with major credit card brands Discover, MasterCard, JCB, and American Express, launched the PCI DSS 1.0 standard. A few years later, the card brands included merchants, software developers, financial institutions, and point-of-sale vendors to their security program resulting in the PCI Security Standards Council (PCI SSC). A series of revisions have been made leading to the current standard PCI DSS 3.2.1.
What Is PCI Compliance?
If you are a small business owner who accepts credit and debit card payments through your e-commerce store, you are charged with the security of your customer’s credit or debit card data. The PCI DSS provides a set of requirements that ensure the prevention, identification, and response to cardholder security breaches. These requirements protect you and your customers from breaches that have a negative impact on your business and finances.
PCI compliance is defined in levels. The size of your business and the volume of transactions you complete annually will determine the level of compliance you need to maintain. There are four main levels of PCI compliance. Merchants fall into any of the following categories based on the transactions they process on an annual basis:
- Level 1: More than 6 million transactions annually
- Level 2: From 1 to 6 million transactions annually
- Level 3: From 20,000 to 1 million transactions annually
- Level 4: Less than 20,000 transactions annually
Most small businesses that handle less than 1 million transactions annually are classified as Level 4 merchants, provided less than 20,000 of these transactions fall under e-commerce.
Get Started With PCI Compliance
Many businesses begin their journey towards PCI compliance by establishing a committee. The committee is charged with defining the scope of the requirements and overseeing that your company lives up to the expected standards. Members should form the committee from different company sections, including information technology, auditing, risk management, human resources, finance, and compliance. The four main roles of a committee include:
- Remediation of security gaps and vulnerabilities
- Establishing and testing controls associated with payment processing security
- Gathering evidence that demonstrates compliance efforts and the results
- Overseeing the maintenance of PCI DSS compliance
Become PCI Compliant?
PCI DSS has twelve main requirements designed for the protection of cardholder data. The following actions should be observed by your business to be considered PCI compliant:
- You should process credit cards through a PCI approves software or PCI Compliant Service Provider
- Your business should not store CVV2/CID card security code. This code is represented by the three-digit number code behind a Visa/Discover/ Mastercard, or the four-digit number code on the front of an American Express card
- You should not store the magnetic track data from credit and debit cards
- Encrypt electronic storage of full debit and credit card numbers
- Keep documents with full credit card numbers in a safe location when they are not in use
- Allow access to customer credit card numbers for employees who have a business-related need
- Use strong passwords for system access
- Never share login information or use group user accounts
- Disable access to the company’s systems for terminated employees
- Regularly inspect Point-Of-Sale devices for signs of a breach
- Keep your computers safe through the use of firewalls and by installing anti-malware and anti-virus programs. You should also disable default or generic user accounts and passwords
- Create a security policy that satisfies all the aspects of the PCI DSS requirements
How Much Does PCI Compliance Cost?
The cost of PCI DSS compliance will vary depending on factors like your business type, the size of your company, the security culture at your enterprise, and the methods you use for processing cards. If you enlist a Qualified Security Assessor (QSA) to perform your audits and complete a compliance report, you may have to pay $50,000 and above for the audit and report.
You may also have to pay for penetration testing, vulnerability scans, policy development, and employee security training. If you have specialized PCI staff, those salaries will also affect your PCI Compliance expenses. Additionally, your credit card processor will charge you a PCI compliance fee of between $70 and 120 per year.
In this world dominated by digital transactions, the risk of getting ripped off online is very high. For a business operating an e-commerce site, security vulnerabilities can endanger customer data and put their credibility to question. PCI DSS compliance is the first line of defense against cybersecurity threats and the best way for a business to secure its online transactions.