FAQ Fridays: We Failed Our PCI Compliance Scan
Aug 28, 2020 3-MINUTE READ
Q: Hello, my company recently failed our PCI compliance scan.
Three months ago, my small business (an online dating product) launched. I got a merchant account for credit card processing. My merchant statement has a PCI non-compliance monthly fee. I’m being charged $30 a month for this. This wasn’t a big deal to me until my credit card processor kept asking for proof that we were PCI compliant. We performed a PCI compliance scan, but we failed it.
How do we pass it so we can be compliant and not risk our payment provider shutting us down?
A: Well, first of all it’s rare that a payment provider will shut down a merchant’s payments because they failed a PCI compliance scan.
Your payment processor may hold your payments. They may also charge you a PCI non-compliance fee. But shutting you down entirely is an extreme case unless you have a massive data breach. Violations could result in penalties that are as little as $20 to a whopping $10,000 per month.
Let’s start by explaining a few things first.
What is PCI compliance?
The information security framework Payment Card Industry Data Security Standard (PCI DSS) applies to any business accepting credit card payments. What they want is to ensure e-commerce businesses that facilitate credit card transactions do not have any weak points in their technical environment. They want to ensure online consumers are entering their personal information into a protected website and secure network. Hence, payment processing companies requesting PCI compliance.
Merchants either ignore this or give up and pay the PCI non-compliance fees. The biggest reason is because they have no clue what it is or don’t understand it. Another reason is because they think that they’re compliant if they use a third-party shopping cart or CRM to transact.
You may outsource this part of your online business. But that doesn’t mean that you don’t need to meet data security standards. PCI compliance is a little more complicated than that.
It’s your e-commerce business’s responsibility to be compliant
The PCI Security Standards Council (PCI SSC) must approve every aspect of your e-commerce environment. Online business owners must ensure that their CRM, their shopping cart, their payment gateway and their merchant account is all PCI compliant. When credit card companies give you the privilege of accepting online credit card information you need to respect their set of rules.
Say you collect cardholder data at your checkout. Let’s say you capture $1 million worth of orders via American Express, Visa and Mastercard credit and debit cards each month, on top of other personal details. It’s your responsibility to prevent personal information from being stolen. Or, it can result in a data breach. Make every effort to pass your PCI scan if you’re asked to do so. Any vulnerabilities in your payment processing channel could spell big trouble.
PCI DSS is standard requirement for all online businesses. It doesn’t just protect card brands and merchant account providers in the event of liability (e.g. a security breach). Meeting payment card industry data security standards protects your business too.
A PCI scan isn’t mandatory for every online company
Not every merchant must perform a PCI scan. There are different questionnaires and scan of different levels based on an e-commerce setup.
For example, some merchants may only need to fill in one self-assessment questionnaire known as SAQ or SAQ-EP. This is required when you use a third-party shopping cart or CRM. Examples of these tools include using ClickFunnels, Konnektive or Sticky.io for your checkout. No customer data is stored in your environment in these scenarios.
Most merchants fall into the above category. But keep in mind that collecting information which is passed to a third-party to be stored also carries a risk of a data breach. Your checkout process is capturing a lot of customer information. Vulnerabilities can be present when those details are sent to a payment gateway or CRM for storage.
The type of data you’re collecting warrants having a privacy and security policy. This information should be published on your website. It should be visible to all visitors agreeing to interact and transact with you. This is why your provider asked for proof of a successful scan.
The good news is that it’s not unusual to fail a PCI compliance scan and it can be easily corrected. All you need is help from your developer and the approved scanning vendor that facilitated the scan. Review the scan results. Then you work to correct all the areas where the scan indicates you failed. That means that there are vulnerabilities in your technical environment and your developer simply needs to fix them.
Here are a few questions you might want to ask before your next scan:
Do you know if your security protocols are outdated? Check to ensure you have the latest SSL certificate and encryption standards. Many issues for PCI get resolved if you mainly rely on third-party payment gateways and shopping carts from PCI approved vendors. Renew your certificate annually.
Does your technical environment provide high-level data encryption to make it difficult to breach your users’ personal data?
Are any software or plugins installed on your back-end stopping the scan from performing successfully? If so, you might want to remove the conflict.
Your merchant bank should offer you more information about PCI DSS compliance. But, sometimes they don’t know much about it themselves. Unfortunately, they don’t provide merchant support with meeting PCI requirements. This is a shame. Being non-compliant only adds more processing fees to your monthly statement. It puts you in a bad position with your payment provider.
If you want to know more about PCI compliance, check out everything you need to know from our blog post on the subject here.
In the meantime, if you need a knowledgeable merchant services provider to help you secure more payments, you’ve come to the right place.