Difference between ecommerce PCI compliance and brick and mortar PCI
There's little arguing how important it is for small businesses to become Payment Card Industry Data Security Standard compliant. The PCI Security Standards Council set the PCI Security Standards to serve as guidelines for merchants to abide by, ensuring companies that process, store or transmit credit card information maintain a secure network and safeguard against any potential breaches.
In short, PCI applies to any business that accepts or transmits a card transaction of any type and stores cardholder data, according to the PCI Security Standard Council's website. As if the threat of a potential breach isn't enough to scare merchants into PCI compliance, the financial penalty businesses face for not complying is steep. Payment brands may fine non-compliant acquiring banks anywhere between $5,000 and $100,000 per month for PCI compliance violations, most of which will likely flow downstream until it hits the merchant.
There are multiple levels of PCI compliance, but most small businesses are likely in the merchant level 3 or merchant level 4 tier, serving either 20,000 to 1 million customers on an annual basis or fewer than 20,000 customers. That said, there are a few differences between brick-and-mortar compliance and PCI compliance for ecommerce websites. Here are a few things to keep in mind for both in-store PCI compliance and ecommerce PCI compliance:
Brick-and-mortar PCI compliance
In-store transactions generally represent a large portion of a small businesses quarterly and annual income. Given that, they need to ensure that all of their customers' information is safely protected and securely stored in their network during a transaction. The point of sale is one of the more important aspects of a small-business operation, so it makes sense that businesses should invest in protecting this critical component of their infrastructure.
Protecting the customer at the point of sale is vital to a small business's success. A business that fails to do so is liable for the data breach and may be financially responsible for all damages. The point of sale is where consumers make transactions and payment information temporarily flows through. If a company stores sensitive customer data on site, it needs to make sure its servers are heavily protected with robust firewalls. If they outsource data storage to a cloud-service provider, they share the burden with the third party who also holds some responsibility in maintaining security.
In-store POS infrastructure is the most important piece of in-store because it's a primary target for hackers to attack. A recent report conducted by security software firm Trustwave found one-third of its investigations in 2013 were at the point of sale. Brick-and-mortar PCI compliance is heavily predicated on securing an in-store network and a POS infrastructure.
Ecommerce PCI compliance
PCI compliance for online retail sites is not so different than brick-and-mortar compliance in that it is aimed at protecting customer information. The main difference is that the point of sale online is electronic, as opposed to a tangible piece of hardware in store. Since the POS varies for these two aspects of transaction, the means of compliance are also slightly different.
Shopping cart software must be protected, and the online payment portal must meet PCI requirements as well, demonstrating it has the necessary infrastructure to protect against a breach.
There are a handful of other things to keep in mind as well:
- A managed firewall
- Managed antivirus software
- SSL certificates
- Two-factor authentication
- Threat management
Both ecommerce companies and brick-and-mortar businesses must partner with a third party that's PCI compliant if they don't want to face possible financial penalties and the constant threat of a breach.