Juniper Research predicts that online payment fraud will cause $48 billion in losses by 2023. This staggering amount places a huge responsibility on eCommerce website owners to do more to protect their customers’ payment information. Major credit card companies have since issued Payment Card Industry Data Security Standards (PCI-DSS) to govern online card transactions. These are meant to guide website owners in securing customer information.
A common misconception is that PCI is unreasonably tough and demands too much effort from eCommerce website owners. Therefore, this comprehensive guide intends to demystify PCI DSS compliance. What is PCI? What are its benefits? Are there any risks that come with non-compliance? What are the requirements for compliance? Read on for the answers to these questions.
What Does It Mean To Be PCI Compliant?
PCI DSS is a set of practices recommended by major credit companies. These practices are aimed at protecting the consumer who makes purchases on eCommerce websites. Essentially, the practices should be part of routine security protocols for websites. PCI lays more emphasis on measures that website owners should have already been taking to protect their customers.
Online businesses operate on high levels of trust. At the same time, the nature of such card-not-present transactions leaves many loopholes that can be exploited by malicious individuals. From identity theft to website content filled with malware, there is no limit to the damage that a security breach can do.
Being PCI compliant means that you restrict cardholder information, create secure passwords, and use firewalls, among other best practices. It is all about proper handling of credit cards on your website. Although PCI is not legal advice, it is mandatory for any eCommerce website. Failure to implement these practices has serious consequences.
What Are the Benefits Of Being PCI Compliant?
PCI does not make your e-commerce store secure. A strong security strategy acknowledges that there will always be some level of risk. Therefore, it requires more than PCI. Frequent assessment is necessary to ensure data is constantly safe. However, PCI compliance has a lot of benefits for your eCommerce business.
- Prevents identity theft
- Protects customer data
- Increases customer confidence
- Avoids fines associated with non-compliance
- Reduces the risk of having negative cashflows
A common misconception is that small stores do not have to be PCI compliant. Cybercriminals are opportunists and target any business with vulnerabilities. In fact, it is easier for them to hack many small eCommerce websites than to do the same to a large online retailer. Therefore, the benefits of being PCI compliant cut across all merchants dealing on the internet.
The Repercussions Of Being Non-compliant
An eCommerce website owner who does not comply with PCI DSS can face one or more of the following consequences:
- Non-compliance fines – the payment industry regulators in charge of standard implementation impose fines on non-compliant websites. These regulators are big credit card companies such as Mastercard, American Express, and Visa that would quickly catch incidents of fraud on your website. Fines range from $86,500 to $4 million.
- Loss of customer confidence – State laws require that merchants notify their customers of any suspected data breach. You will also have to provide credit monitoring services to the affected customer for a year. This will cause customers to lose confidence in your ability to protect their data.
- Liability claims – customers affected by an information breach can sue you. As a business owner, protecting your customer’s data is your responsibility. Therefore, such a lawsuit will claim liability on you.
- General Data Protection Regulation – any business serving EU residents that is affected by a breach must notify supervisory authorities in 72 hrs. Failure to do this attracts heavy fines. This law holds merchants accountable for the protection of sensitive customer information.
- Ban on credit card use – data breaches are a sign of irresponsibility on your part. Once it happens, the council may revoke your ability to accept credit card payments. This will have a direct impact on the number of clients you can serve.
- Mandatory forensic investigation – you will have to hire forensic experts to examine your website. This investigation is often expensive and time-consuming. The minimum cost of a forensic investigation is $20k. It is cheaper to ensure PCI DSS compliance and prevent information breaches.
- PCI Compliance reassessment – to start receiving credit card payments again, your website will have to undergo PCI reassessment by a Qualified Security Assessor.
- Bearing card replacement costs – since your customers will have to get new credit cards after a breach, you might have to bear extra costs. Card issues can charge you a card replacement fee that may be $3 – $10 per card.
The consequences of being non-compliant are severe. It is much easier to put some effort into ensuring your website is in line with PCI DSS.
How To Be PCI Compliant – The Complete Checklist
PCI DSS has a number of requirements to be followed. It may seem hectic for a small eCommerce website to implement each of these requirements, but it is worth it for your data safety. This is the complete PCI DSS checklist:
- Secure your network and system components
Your network should be protected by a firewall. Once you identify your card data environment, the firewall will separate access between environments. System components such as extensions and plugins can be protected by software and security patches. These ensure there is no introduction of malicious components to your website.
- Disable vendor-supplied defaults
Using default accounts that are created by vendors compromises the security of your system. Such accounts should be deleted. Admin access should be encrypted. Documentation of processes used to manage vendor defaults is a good way of freeing yourself of any liability.
- Secure cardholder data
Securing customer data needs a two-fold strategy. The first is using a trusted payment gateway that will not compromise your data. The second aspect of this strategy is not storing card data for your customers. These measures, supplemented with ensuring employees follow recommended security practices, will ensure cardholder data remains safe.
- Encrypt data transmission
All cardholder data transmitted across public networks must be encrypted. Accepting payments over SSL/TLS technology is a sure way of data encryption. This technology allows your website to be accessed over HTTPS connection, which is safer.
- Plan for vulnerability management
Your systems must be safe 24/7. This requires you to have a plan that anticipates breaches at any time. Vulnerability management includes deploying antivirus on the entire system and ensuring the software is updated frequently. Furthermore, you should document your vulnerability management strategy
- Use business need to know to restrict access to cardholder data
All your systems should only be accessed by authorized individuals. Cardholder data should be accessed on a need to know basis. This means that you should have secure systems that prevent unwarranted access of sensitive information. Your employees must be informed about the policies as well.
- Authenticate system access
Each person who accesses your systems should do so with a unique ID. Furthermore, you should implement two-factor authentication for any access. There should be no group accounts, shared passwords, or other authentication methods that create vulnerabilities.
- Regulate access to cardholder data
Physical access to cardholder data should not be available for everyone in your organization. Whether this access is through devices or hardcopies of payment information, regulation is necessary.
Unauthorized personnel should not be able to view cardholder data. The data should be monitored to identify breaches immediately they happen. Destruction of cardholder data is a comprehensive measure to ensure security. Any data that is no longer needed for business should be permanently deleted.
- Audit system access
Because each login will have a unique ID, you should be able to audit your systems and get logs of access. You need to know who accessed your systems, when, and why. The logs should be updated and reviewed daily. In case there is a breach of information, reviewing the logs will help to resolve and prevent such incidents.
- Test performance of systems regularly
Since websites face continuous threats, you must always scan your systems and processes to identify areas that need to be worked on. Regular system tests will uncover new threats and ensure they are prevented. Vulnerability scans after system changes are recommended. Daily monitoring of changes to the system are essential.
While testing the system, you should implement website penetration testing. It is better to know which areas of your website are vulnerable to attacks in order to prevent them.
- Have an information security policy
Your business should have a single policy document that is relevant to all your employees. The document should address all aspects of information security. The policies should clearly define expectations and enumerate specific guidelines to be followed to prevent an information security breach.
All employees should be aware of the importance of securing cardholder data. You should also have a relevant incident plan. The incident response plan allows you to respond to a system breach with speed and accuracy.
Final Take On PCI DSS Compliance
PCI compliance is necessary for any eCommerce website. Not only does it protect customer data, but it also increases confidence in your business. There are many benefits that come with implementing regulatory measures recommended by the council. At the same time, non-compliance comes with a fair share of inconveniences. From fines to being banned from using credit cards, there will be many negative effects of noncompliance on your business.
Security is a continuous affair. Therefore, it is easier, cheaper, and less stressful to put measures in place to prevent security breaches.