With the spate of credit card data theft from large companies and organizations continuously hitting the headlines; card issuing companies are beginning to demand more from ecommerce merchants, large and small, to ensure that their sites are secure.
PCI (Payment Card Industry) compliance has been optional for many small merchants up to now, but that may be all about to change very soon.
Up until recently, PCI compliance was only mandatory for Level 3, 2 and 1 merchants; i.e. those processing more than 20,000 transactions a year or having been identified as having poor security processes.
As of October 2006, PCI compliance became mandatory to all American Express accepting merchants, including Level 4; those with 1 - 20,000 transactions per year. However, most merchants are still unaware of this and will remain unaware until something goes wrong.
From October 1, 2009; Visa will also be telling many small merchants that they can no longer accept Visa credit card payments unless they have taken steps towards achieving PCI compliance.
You can probably expect to see the other companies following suit very soon; so it's time to get prepared.
Online store owners who are obligated to implement a PCI compliance program who don't become compliant may find themselves without the ability to process transactions or may face fines from the card company in a situation where security is breached.
In a nutshell, this means that if your online store process payments via credit card, you'll need to become PCI compliant - and it's not something you'll be able to do totally on your own as PCI compliancy requires scanning and verification by a 3rd party.
It all sounds a little scary if you haven't been through it before and while it is an inconvenience and can be costly depending on the vendor you select, the process isn't as difficult as you might expect - but much of the complexity will also depend on the third party scanning vendor you engage. You should really shop around for deals on PCI compliance because you'll find huge variations on price and support.
What is PCI compliance?
PCI compliance is a set of security criteria that must be implemented in order to protect sensitive information during any credit card transaction. The compliance criteria include specific auditing procedures, some of which are automated, the others requiring merchant input. The Payment Card Industry Data Security Standard is referenced by all credit card issuers.
PCI compliance for most merchants, that is those processing up to 6 million transactions a year, consists of the following elements:
- Quarterly scan by an authorized scanning vendor
Quarterly PCI compliance scan
The scanning vendor you engage will run a battery of automated tests against your web site and then provide a report. The scans are very thorough and test for hundreds of different issues.
The report will contain a great deal of detail, highlighting potential problem areas in relation to severity. Depending on the issue uncovered, it may be just an advisory on how you can improve your security; but there will also be flags that show items that prevent your site from being PCI compliant.
A good vendor with then work with you and your web host if necessary to help you address those issues.
PCI compliance self assessment
Added to the scan, you'll also need to complete a PCI compliance self assessment form; a sample of which can be viewed here (PDF). It's broken down into the following requirement sections:
Many merchants may find the form utterly confusing given some of the terminology, but again, a good PCI compliance vendor will assist you with completing it and the form will likely be an online version of the sample.
The benefits of PCI compliance
While all this may seem to be a terrible inconvenience, there are certainly some positive spinoffs from becoming PCI compliant; including
PCI compliance scanning vendors
Like any certification service, you have a wide range of choices - and a wide range of pricing. The important thing to remember is that as long as the vendor is authorized to provide scans and compliance reports, that's enough to satisfy the card companies. If the scanning vendor doesn't do their job properly, they are the ones with the liability - so it's certainly in their best interests to get it right.
Having said that, you don't want to engage the services of a vendor who have poor communications. Time is money and the less time you need to spend on this exercise, the better. It's also important to choose a scanning vendor who will go beyond just handing you a report and then leaving you to figure it out on your own.
I recommend checking out Trust Guard - they are one of the leading companies in the space and have some of the best pricing around. Trust Guard also provides a broad range of other services such as web site security seals and certification programs - which PCI compliance scans are a component of.
In the interests of transparency and disclosure, please note that the owner of Taming the Beast.net often receives goods and services mentioned in reviews for free, or may receive payments or affiliate commissions for advertising or referring others to merchants of products and services reviewed.
Copyright information.... This article is not available for reproduction without explicit written permission from Michael Bloch and Taming the Beast.net
paid cash taking online surveys - free to join online
In Loving Memory - Mignon Ann Bloch
copyright (c) 1999-2011 Taming the Beast Adelaide - South Australia