What exactly is PCI?
PCI stands for the 'Payment Card Industry' - more fully, the 'Payment Card Industry Security Standards Council' or PCI SSC and is the global organisation that manages card payment security - and consists of a group of all the major credit and debit payment card providers (MasterCard, Visa, American Express etc)
The group oversees something called the 'Payment Card Industry Data Security Standards' (PCI DSS) - a set of operating requirements that all businesses, on and off-line, that handle credit/debit card payments should comply with. These standards were created to increase controls around cardholder data in order to help reduce credit card fraud starting back in 2004 - as a response to the rising tide of credit card theft and fraud that coincided with increasing use of payment cards combined with growth in online e-commerce from the late 1990's onwards.
The card providers require merchants and service providers to be validated according to these PCI DSS rules, and for every business that accepts and handles CC and DC payments to follow the same standards - and if you manage or run a webstore or e-commerce platform - that means you.
PCI Compliance is Regulatory not Legislative - but it is not optional. In the US, 3 States have PCI written into state law; Minnesota, Nevada and Washington.
What happens to me if I'm not following the standards?
The risk to any business that is not PCI compliant happens when or if they experience a data breach affecting any customer or cardholder data. In most cases as a business owner you are obliged to report an event, if you are aware of it - certainly most US states (47 out of 50) have a breach disclosure law. If you don't report the event to your bank or payment provider, there's an almost certain chance that an affected customer will do.
Companies who are breached must immediately disclose the data breach to customers and must notify their payment processor who will then notify the bank. The processor or bank will initiate a PCI DSS audit on the merchant to see if the merchant was PCI DSS compliant at the time of the breach.
“Of all the data breaches that our forensics team has investigated over the last 10 years, not a single company has been found to be compliant at the time of the breach” - PCI Compliance Report, Verizon, 2015
The potential costs of being found to be non- PCI compliant can be dramatic, including:
- fines for being non-PCI compliant,
- charges for audits and forensic research by the bank,
- charges levied on future card transactions,
- a provider refusing to allow clients to process cards, and,
- serious reputational damage with customers.
It's often hard to come up with examples, since in many cases smaller breaches and fines go unreported - and of course many businesses are not in a hurry to make it public, but some examples of the fines and charges that have been handed down over the past 6-7 years include; a US restaurant chain, whose 2014 data breach of credit card detail, cost the company $1.9 million in fines, fees, and audits; a well known UK online travel insurance company that was fined £175,000 in 2015 for failure in compliance that led to hackers stealing customer card data.
THE Total fines to UK business for failure to comply with PCI DSS in 2015 amounted to £1.4bn.
But I don't have to do anything, do I? My bank/hosting company/payment provider handles all that stuff.
No. And here's some common misconceptions.
Myth one: “Outsourcing card processing makes us compliant” - Outsourcing simplifies payment card processing (and therefore the steps to gaining compliance) but it does not provide compliance.
Myth two: “We don’t take enough credit cards to need to be compliant” - PCI compliance is required for any business that accepts payment cards – even if the quantity of transactions is just one.
Myth three: “Our vendor or software product is compliant - so we don’t need to be” - no single vendor or product fulfils all the requirements of PCI DSS. The (your) business is ultimately responsible for ensuring all their own systems and processes in their organisation comply with PCI.
Myth four: “The criteria is a set of guidelines; you don’t need to be fully compliant with all of them” - merchants need to achieve 100 per cent of every requirement to achieve PCI compliance.
Myth five: “I never signed anything to say I would be compliant” - PCI applies to every business that transmits, processes or stores cardholder information – there are no exemptions.
Myth Six: “My bank will inform me when I need to be PCI compliant”- merchant’s handling CC data are expected to know about PCI DSS - ignorance is not an excuse
So who is responsible for PCI Compliance?
Any business or organisation that transmits, processes or stores cardholder information.
PCI DSS applies to all forms of e-commerce implementations without exception - even on websites where payment processing is entirely outsourced (for example via PayPal).
So what do I need to do?
PCI Compliance usually involves you conducting a ‘Self Assessment’ of your compliance, and retesting and reassessing yourself every year- if you are a complex business and take a large number of transaction then you may not be eligible for self assessment, in which case you will need an external auditor to take care of the assessment.
The type of Assessment and the complexity varies according to the way you handle payments and cards, and the way you operate (and is one of the reasons why using a outsourced payment processor can help you, as it definitely reduces the burden) - if you are unsure of what you need to do, and what kind of assessment you need to carry out, then contact a PCI professional, or talk to us at Watchman for advice (we have extensive experience of the PCI self-assessment process)
Typically you will need to validate and assess your processes and procedures around data security, as well as demonstrate that you understand how your website and payment system works (not necessarily the nuts and bolts, but at least the principle features) - and you will need to think about, and understand the risks you might have around whoever built your website (if it wasn't you) and where and how your website is hosted.
You'll also need to demonstrate that you test your website for any vulnerabilities (there are special scanners for this that you can use online) on a regular basis (at least once every 3 months).
This all sounds like a lot of work and inconvenience - and certainly it takes a bit of effort to test yourself the first time (get help) and to maintain a regular process of checking compliance - but a bit like business insurance, it’s something you need so that if something ever goes wrong, you're covered.
Neglect to maintain PCI compliance and the results could be horrific - for your business at least.