PCI dSs COMPLIANCE AT A GLANCE

If you're a business running an eCommerce website then you're probably already familiar with PCI DSS compliance. If you're a business running an eCommerce website and you're not, you should and most likely will be very soon. PCI DSS stands for Payment Card Industry Data Security pci.pngStandards - kind of a mouthful if you ask me. OK so what is that?

Essentially, they are a set of security standards created by the Credit card companies as a way to combat fraud. The idea is if you follow the set of procedures and technical standards laid out by PCI DSS, you'll drastically decrease the chance of credit card fraud, data breach, and the mishandling of financial and personal information.

But who needs to be PCI Compliant? Well that get's a little more complicated and on top of that question, another also arises: Even if my company is not required to be, should we be? We explore these questions below!

Here If you're interested in any other articles on website security check out these other articles from our blog:

 

PCI DDS, PCI compliance, PCI Q + A, download

 

1. WHY DOES PCI DSS EVEN EXIST?

With the advent of online purchasing and the exchange of financial and credit information over the Internet came a new level of risk when it comes to financial fraud and identity theft. Before the Internet, the only time you would use your credit card was at the POS (point of sale) in a store or over the telephone to either purchase something or pay a bill. In those situations, there was almost certainly another human involved (P2P) and that inherently reduced the risks by limiting the flow of digital information being exchanged.security-265130_1920.jpg

Today when using a card online it's you, your computer, and that little piece of plastic in your hand as you type in the information (or it's saved in your browser... which has it's own security risks...). But what you may not realize is the path that information takes after that you type it in and send it on it's way. As soon as you begin to type in that information into your browser window your information is at risk. Malware with screen capture and monitoring can steal that as you type it. Hackers can monitor traffic and steal it if it's not encrypted as it's sent. Also, they can infiltrate the database where your information is held after it's been submitted if it's not being stored encrypted. The list of ways to steal your info goes on and on. The bottom line there are a lot of new risks associated with online shopping (eCommerce).

PCI DSS was created to set a standard of best practices if when properly implemented greatly reduce the risk of consumer data being stolen. They do so by taking a multi-faceted approach to digital security.

 

2. PCI COMPLIANCE - a multi-faceted approach

In order to properly defend consumers credit card information (and other information) as well as companies against harmful litigation from potential breaches, a multi-facet approach was needed.

PCI DSS ONLINE (ECOMMERCE)

A big part of the PCI DSS requirements involve your website and the server it is hosted on - however this only really applies to you if you're taking credit cards over the web. This often applies to companies that have online stores (eCommerce - usually b2c) or customer portals (b2b) where customers can place orders and pay online. These standards contain requirements for your website and server's security measures. These include but are not limited to:

  1. SSL and encryption protocols
  2. On-server firewall requirements
  3. Website access protocols and procedures (I.E. who has access to the site's admin pages)
  4. Security protocols that relate to the CMS you're using (E.G. WordPress and/or Drupal)

PCI DSS IN-OFFICE/IN-STORE

board-1004128_1920.jpgThe other part of PCI DSS that those strictly in eCommerce may not know about is the in-office/in-store side of PCI compliance that relates to how credit card information is handled when received in-store or office by some other medium other than an online store (often this can be via phone, sometimes email, etc.).

There are a set of procedures and standards regarding the handling and storage of this information in your office. On top of this, there can be standards regarding your in-office network's firewall and servers (if you have locally hosted servers) running POS software or software like inventory management platforms that accept and run credit card transactions.  

Whatever part of PCI DSS applies to your company or business, you'll need to perform regular scanning of these entities (in-office network, servers, websites) and reporting to an accredited PCI DSS authority. Most likely you'll need to partner with a digital agency that specializes in digital security in order to meet PCI DSS requirements and stay compliant.

 

3. ok... so WHO HAS  TO BE PCI COMPLIANT?

The only people who have to be PCI compliant are those that are required to be so by an outside entity us_bank_logo.jpgusually a bank. One good example is US Bank. US bank requires all banking customers that handle credit cards either in office or online to be PCI compliant. This is increasingly becoming a pattern amongst banks looking to reduce the risks and costs associated with cyber attack and data breach. Some of these risks include:

  1. Expensive litigation from affected users
  2. Fraud penalties levied by credit card companies
  3. Reimbursement for affected users
  4. Repair and recovery for affected systems

This is not to say that you shouldn't be PCI compliant even if you're not required to do so. PCI DSS are a set of guidelines designed to protect you and your customers. That means they are a great place to start when it comes to digital secure both on and offline.

 

WRAPPING UP:

Not everyone needs to be PCI compliant, but anyone who sells online or accepts credit cards in-office/in-store should be. PCI DSS serves as a great foundation for a solid security policy and will help you protect yourself and your customers. For more answers to your PCI DSS questions click below and download our free PCI DSS Q & A. It will help you get started down the path to full PCI DSS compliance!

 

PCI DDS, PCI compliance, PCI Q + A, download

 

About the author

Steven Milne

I'm Steve and I'm a co-founder and CFO at Digital 1. I am responsible for helping companies grow through lead generation anchored by Inbound Marketing. I also have a background in digital and cyber security. I very much enjoy writing and blogging at Digital 1. I love helping companies realize their website's potential. It's always so satisfying to see their online presence expand and generate business essential to growth.

Subscribe to our blog!

NAVIGATION

Subscribe to our Blog!

digital-one-logo-horizontal-black-and-white-copy-2-4.png© Copyright 2016 Digital 1

Digital 1 - Digital Inbound Marketing. Digital Security