Why So Complicated? A Beginner's Guide to PCI Compliance
Most people start businesses because they want to do something they’re passionate about, but often they don’t account for all of the necessary red tape. So, it’s likely that when someone creates a website to sell hand-knitted scarves for Labrador retrievers, he or she probably didn’t put a lot of thought into ensuring the site was Payment Card Industry (PCI) compliant.
For starters, many people aren’t entirely familiar with the PCI compliance, and even when they are made aware of it, actually making sense of it all and implementing PCI security standards on one’s website seems like a lot of work that may not be worth the hassle. At its most basic level, however, PCI compliance isn’t that hard to understand; it’s just a matter of organizing and simplifying all of the information and jargon you’re being bombarded with.
Defining the Issue
Let’s take a step back; where does all of this PCI stuff come from? The PCI Security Standards Council was formed in 2006 as a joint effort between five global payment brands – American Express, JCB International, MasterCard Worldwide, Discover Financial Services and Visa Inc. This group then developed the Data Security Standard (DSS), a collection of rigid requirements put in place to “ensure that all companies that process, store or transmit credit card information maintain a secure environment.”
Essentially, any organization or merchant that handles credit, debit or prepaid cards branded by one of the founding companies (and if they’re operating an e-commerce site in 2011 without accepting major cards, they have other issues) is subject to the PCI DSS.
PCI compliant businesses are split into four groups, or “levels,” based on their transaction volume, which is determined by their aggregate number of Visa transactions. Level 1 merchants are those that process over $6 million in Visa transactions a year; Level 2 merchants process between $1 million and $6 million; Level 3 merchants process between $20,000 and $1 million; and Level 4 merchants, which make up most small and medium-sized businesses, process less than $20,000 in Visa transactions year. This last group also includes all non-e-commerce merchants, regardless of acceptance channel, who process up to $1 million transactions a year.
Is it Worth it?
Because PCI compliance isn’t an actual federal law, and it is the payment brands and acquiring banks that are responsible for enforcing it, it can be a little difficult, not to mention intimidating, for a business to become compliant. In fact, to less Web or financially savvy owners, it may seem easiest to just skip this part of the process. Bad idea.
At the very least, complying with PCI Standards is important because it shows consumers that your website is trustworthy. Websites that aren’t willing to go through the process of having their security systems verified by the PCI are suspect, at best, and there is no better way to drive customers away from your business than giving them a reason not to trust you. That being said, it’s important to know that while displaying trust signals from companies like VeriSign or TRUSTe on your site is another great way to inspire confidence in consumers about the security of your site, having these SSL certificates is not the same thing as being PCI compliant, but rather they are complimentary steps that show potential customers that you've taken the precautions necessary to protect their data.
As far as business partnerships go, PCI compliance is also the best way to create a positive reputation with acquirers and payment brands that you’ll need contact with to conduct business.
Perhaps most importantly, however, is that PCI compliance allows you to keep your website secure as tactics for compromising data evolve and become more sophisticated. The PCI Security Standards Council “is constantly working to monitor threats and improve the industry’s means of dealing with them,” meaning the security and integrity of your website will always be protected by the ever-adapting technology of the Council. This not only protects user data, but it also keeps your business safe from potential lawsuits, insurance claims, cancelled accounts, payment card issuer fines and government fines.
The most complicated part of PCI compliance is getting started. Fortunately, the act of being PCI compliant can be boiled down to three steps.
The first thing a business needs to do is assess, which means to inventory its IT assets and business processes for payment card reprocessing then analyzing it for information that could expose cardholder data. This step is in place to spot any possible vulnerabilities in a system. Options for assessing a business include a Self-Assessment Questionnaire (SAQ), which allows merchants and/or service providers to evaluate themselves for PCI compliance, or independent qualified assessors provided by the Council. There are two types of independent assessors: Qualified Security Assessors that follow a strict procedure to determine whether or not a business is PCI compliant, and Approved Scanning Vendors that provide “commercial software tools” that perform vulnerability scans on a business’ systems.
Once any potential vulnerabilities are assessed, the next step is to remediate, which means fixing the technical flaws or unsafe practices that may expose customer data. This includes taking action like “applying patches, fixes, workarounds and changes to unsafe processes and workflow.” After remediating your site for PCI compliance, you should always reassess to make sure that the work you do during the remediation step is in place and operating properly.
Finally, merchants must regularly report to the acquirers and global payment brands that they’re doing business with; these reports are usually quarterly. The types of reports that need to be completed vary depending on the size of a merchant (their “level”) and the requirements of their partners, so each business should discuss with their acquirers to figure out the exact details of what needs to be included in these reports and how they should submit them.
PCI compliance is such an important part of Internet security, for both consumers and website owners, that it cannot just be ignored. However, it’s also understandable that many new business owners and merchants may be tempted to just disregard it because it can seem like a scary task to tackle and the benefits aren’t always obvious. But when you strip away the jargon and look at it from a very basic level, it becomes much more manageable.