Last week we asked you to vote on the subjects you wanted to hear more about. Unsurprisingly PCI regulations came out top.
Few businesses beginning or extending their e-commerce facilities are fully aware of the regulatory framework that exists in the payments sector- and arguably, why should they be. Top of their concern is first and foremost, the need to develop an attractive website that entices their customers to buy. Additionally, information on best practices in this sector is not easy to come by and can be incomprehensible to those who don’t work in the industry.
Below we’ll do our best to outline what PCI DSS really means and how you can ensure that you are compliant.
PCI DSS (Payment Card Industry Data Security Standard) compliance is a set of regulations developed by some of the top payment brands such as Visa, MasterCard and American Express, to ensure retailers are handling consumer card data in a responsible way.
Every business processing payments needs to be compliant with these regulations. The first thing you will need to do is find out which level bracket your business falls into – these are dependant upon the number of credit/debit card transactions you process per year.
Level 1-The highest level, merchants processing over 6 million Visa transactions annually
Level 2-Merchants processing 1 million to 6 million Visa transactions annually
Level 3-Merchants processing 20,000 to 1 million Visa transactions annually
Level 4-The lowest level, merchants processing less than 20,000 Visa transactions annually.
Once you know this, each level is broken down further into 12 steps to follow, which look like hard work but most of the below is plain old common sense;
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall to protect cardholder data
Requirement 2: Make sure that is you receive any vendor-supplied passwords, that you create your own password straight away
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt all cardholder data if you are sending it across open, public networks
Maintain a Vulnerability Management Program
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
How stringent these are depends on which level you will be required to reach-Level 4 can be as easy as a self-assessment questionnaire.
It’s that simple!
It’s worth noting that becoming PCI DSS compliant can be a costly and time-consuming process. One of the ways you can reduce the cost and burden of compliance, and of course your risk of a data breach, is to avoid handling card data.
Consider shifting the responsibility for card data to a third party. For example, have your payment pages hosted by your payment service provider. It won’t necessarily cost you more and shouldn’t hinder the customisation of payment pages or compromise your customers’ checkout experience.
For more information around PCI, have a look at the Sage Pay website