Online Security & Protection Measures: What All Ecommerce Owners Need to Know About PCI Compliance
The modern world of technology can be frightening place. Sure, the internet has democratized information for developed countries, and is continuing to do so for emerging and developing countries across the globe. Big data is beginning to reach a catalyst point, at which its use and its profitability are growing parallel –– and at exponential rates. Yet, with all of our modern day technologies and innovations, one very real concern still weighs heavily on the mind of most consumers: security.
This couldn’t be more true in the ecommerce industry –– an industry rife with tales of breaches and hacker takedowns. Whether you’re talking Wal-Mart, Target or Home Depot –– few retailers are safe. In fact, in 2014, reports showed that some 43% of companies had a data breach of some sort.
That’s a lot of information falling in to the wrong hands, but before we really start to worry, know this: there are solutions.
Enter PCI (Payment Card Industry) Data Security Standards (DSS)
The PCI Security Standards Council (PCI SSC) defines a series of specific Data Security Standards (DSS) that are relevant to all merchants, regardless of revenue and credit card transaction volumes.
Achieving and maintaining PCI compliance is the ongoing process an organization undertakes to ensure that they are adhering to the security standards defined by the PCI SSC.
The SSC defines and manages the standards, while compliance to them is enforced by the credit card companies themselves. Again, these standards apply to all organizations that deal with cardholder data. Cardholder data refers specifically to the credit card number, along with cardholder name, expiration date and security code (CSC).
And, here’s the kicker: it is a retailer’s responsibility to ensure PCI compliance. For online retailers operating a SaaS based ecommerce store that do not have any access to any credit cardholder data (which is the case for most modern SaaS commerce platforms), your need for PCI compliance is mitigated entirely. The heavy lifting has been taken care of by the experts working on the backend of your technology.
If you host and manage your own ecommerce platform, you will need to ensure PCI compliance for your organization, and the first step is to determine the required compliance level.
All online merchants fall into one of four levels based on credit or debit card transaction volume over a 12-month period. Level 1 is the most strict in terms of DSS requirements, where Level 4 is the least strict:
Almost all small and medium sized businesses (SMBs) classify as the lower Level 3 or Level 4 merchant, however, this does not preclude the necessity to maintain compliance with the same diligence as larger organizations. In fact, it’s a costly misconception encountered amongst SMBs who believe they do not need to worry about compliance at all because they don’t do a significant enough volume of online or in-store sales.
How to Achieve PCI Compliance on Your Own
The PCI DSS follows common-sense steps that mirror security best practices. There are three steps for adhering to the PCI DSS – which is not a single event, but a continuous, ongoing process:
- First, Assess: identify cardholder data you are responsible for, take an inventory of your IT assets and business processes for payment card processing, and analyze them for vulnerabilities that could expose cardholder data.
- Second, Remediate: fix vulnerabilities and do not store cardholder data unless you absolutely need to. Wherever and whenever cardholder data can be retained by an external qualified body instead of yourself is ideal, because nothing reaches immediate compliance more quickly than not storing or transmitting credit card data at all.
- Third, Report: compile and submit required remediation validation records (if applicable), and submit compliance reports to the acquiring bank and card brands you do business with.
Keep in mind that online merchants over a certain size require quarterly external vulnerability scans. The largest merchants require outside compliance audits.
In all, online security and data protection standards are continuously rising. SaaS technologies build this type of protection into their platforms and for online businesses not using a SaaS solution, they are required to achieve compliance levels akin to any other online merchant.
I believe Nate Silver said it best. In a recent Freakonomics Podcast, Silver spoke briefly about human error when it comes to mass adoption of new technologies.
“When the personal computer became commonplace in the workforce in the 1970s and then in the home in the early 1980s, it took awhile before there were any tangible signs of productivity gains in the economy –– meaning like ten or fifteen or twenty years, even. So I think people love new technology, but they overestimate how much of the kind of human factor gets in the way. I’m not trying to be cute about that, I just mean that people need to learn how to use these tools, what they can do, what they can’t do.”
Online security is beginning to reach that point at which market saturation is high. This means that, like the computer, people are seeing online data protection as a necessity rather than a nice-to-have. Sure, big name breaches brought the issue into the public eye, but since then, much has been done to educate the public and online merchants as to the full scope of the problem and the possible solutions.
PCI compliance is just one of many regulations put in place to protect both online businesses as well as their customers.