So you want to become PCI compliant
Data breaches and eCommerce fraud go hand in hand. They are both major way points in the cycle of fraud. Criminals gain access to sensitive cardholder data by hacking into point of sale systems to steal data or plant malicious software (malware) to capture data over a period of time. Once they have obtained the payment data, they sell it to fraudsters, or use it in their own fraud endeavors.
eCommerce sites are fast becoming the preferred avenue for fraud worldwide since new technology (like EMV chip cards) has made it increasingly difficult to commit fraud in-store with counterfeit cards. Protecting your own eCommerce site from fraud is an important step and you can learn more about that here.
But there’s another tactic the payments industry uses to impede the fraud cycle—preventing data breaches so the fraudsters can’t access cardholder data in the first place. There are many ways you can help prevent criminals from stealing card data including maintaining PCI compliance by safely handling and protecting data, and securing your website with secure sockets layers (SSL). Implementing these practices will help curb fraud overall, and perhaps more importantly, prevent your eCommerce business from the damaging financial and reputational effects of experiencing a data breach.
Preventing breaches isn’t just about being a good corporate citizen. It’s actually the responsibility of every entity that accepts or handles credit cards. More than two decades ago, the major card brands (Visa, Mastercard, American Express, and Discover) came together to set industry-wide standards for the safe handling of payment data. Those standards have evolved over the years to become the Payment Card Industry Data Security Standards (PCI-DSS).
All merchants who accept credit and debit card payments must comply with the 12 Data Security Standards set by the PCI council. The standards address the security of the payment system at large, recommending the implementation of network security protocols like firewalls, anti-virus protection, secure remote access portals, password maintenance, and more. The security requirements applicable to your online store depend in part on the volume of your transactions. The larger the business, the greater the security requirements.
It’s important to note that maintaining PCI compliance is an ongoing activity. Merchants must be compliant at all times, which takes active monitoring and maintenance of business systems and technologies. Enforcement of PCI comes in the form of repercussions for failing to follow the standards, not in proactive monitoring. The council doesn’t have the resources or inclination to monitor whether merchants are adhering to the standards. Rather, merchants are presumed innocent—or compliant—until such a time that they experience a breach.
Consequences of a data breach
Failure to adhere to PCI security standards can come with heavy fines if you experience a data breach. How much does a data breach cost? It depends on many factors including the number of cards compromised and the financial fallout of the breach.
Non-compliance fines include:
- Card reissuance costs for each card involved that must be reissued. This can be anywhere from $2-5 per card, and the average number of cards compromised per breach is typically in the thousands for small businesses and in the hundreds of thousands-to millions for larger businesses.
- Required additional fraud detection services enforced by the card brands such as costly financial and forensic audits.
- Additional fraud monitoring programs and technologies as mandated by the card brands.
Recovering from a breach is difficult for even the largest businesses. Just Google “latest data breach” for a list of businesses experiencing their claim to shame as a result of a recent data breach. It’s not a good look for your business and it can be difficult to earn customer trust back after a breach.
PCI assistance programs
Many payment processors and gateway providers offer PCI compliance assistance to help automate the necessary ongoing compliance activities. Having this type of support is a big asset and a time saver, so it’s important to consider a processor’s PCI compliance assistance solution when making your decision on which provider to use.
A good compliance assistance program will also provide some financial protection to help cover costs if you do experience a breach. It’s similar to insurance in that the provider will foot the bill for certain breach expenses within a certain limit following a qualifying breach event.
It’s important to understand the role your payment processor and other third-party vendors will play in your system security and compliance obligations, as well as the role you will play. You may depend on third parties to help you maintain system security and PCI compliance, but ultimately the responsibility rests with you.
Whereas PCI compliance is the merchant’s responsibility, PA-DSS validation is the technology providers’ responsibility. PA-DSS stands for Payment Application Data Security Standards. In laymen’s terms, it means that the payment equipment (POS system/terminal) that vendors sell must meet the security standards set forth by the PCI council for the safe handling of payment data.
Achieving validation lets merchants know that the systems have been verified as secure by a PCI-council approved organization, which in turn lessens the merchant’s responsibilities in maintaining PCI compliance. In short, be sure to use PA-DSS validated systems and providers to make your own PCI compliance obligations simpler.
Payment technologies for securing data
There are other security technologies available to merchants which are a bit more optional yet provide an important layer of additional protection for safely handling card data.
Optional is perhaps too soft of a term for these technologies in comparison to their effectiveness at securing payment data and making it useless to potential data hackers. It’s technically optional to set a timer when baking cookies too. But if you don’t want to risk ruining them, it’s a good idea to set a timer so you can take them out of the oven before they burn.
In reality, card data encryption and tokenization are as essential to securing modern commerce as a timer is to preventing burnt cookies—particularly in the eCommerce industry, which is under intense attack from both international and domestic cyber criminals.
Card data encryption and tokenization mask true cardholder data, replacing the card number with special characters, letters, and numbers that are meaningless to thieves. Whereas encryption protects data being transferred from the cardholder to the payment processor and onward through the authorization process, tokenization protects it while it’s being stored in the payment system for future transactions such as recurring billing or tip adjustments.
Encryption is also needed when sending sensitive payment information over any public network including by phone, email, FTP, or data stream. eCommerce merchants sometimes overlook this requirement when sending cardholder information via email for the purpose of communicating with the customer or third party about a transaction. Still, it’s an important aspect of system security.
For example, an employee in the chargeback department may need access to cardholder data for the purpose of confirming or refunding purchases. Accessing that information must be done within the security protocols for handling sensitive data. Third parties like call centers and fulfillment warehouses may also need access to sensitive information, so make sure you’re considering all the angles related to data exposure.
The rule of thumb here is to limit data access to only those employees with a critical need, and ensure access is reviewed periodically to eliminate any unnecessary or expired users.
Setting up a Secure Sockets Layer
In the context of eCommerce payments, encryption takes the form of a SSL, securing an encrypted link between your website and the user’s browser. An SSL certificate enables the browser and the server to establish a secure connection so that sensitive data can be safely transferred between them.
More importantly, the SSL-confirmed icon (a green bar with a padlock in the URL) will put your customers at ease when entering their payment details on your site. Customer trust will have a positive impact on your sales.
Obtaining an SSL certificate requires creating public and private keys on your server via a Certificate Signing Request (CSR). The CSR establishes an encrypted connection between the public and private keys, which are then sent to a Certificate Authority (CA). The CA then establishes a secure connection to your private key and authenticates your certificate. Just be sure to choose a CA from the Trusted Root CA store since only those will be listed on the pre-installed list that the major web browsers use.
Taking these steps will give you a much better chance of keeping your eCommerce business out of the grip of cybercriminals and fraudsters. To date, no breached organization was actively PCI compliant at the moment the breach occurred. And if you’re using encryption and tokenization, any data that thieves get their hands on should be useless to them, negating any consequences of the breach and protecting your bottom line and your business reputation.
We take the security of our eCommerce merchants very seriously. We offer easy-to-use PCI compliance assistance, financial breach assistance coverage, and robust encryption and tokenization solutions. Contact us to discuss the risks and solutions applicable to your business, anytime.