Not adhering to PCI compliance security guidelines is putting your company at increased risk of a credit card data breach. This is a critical topic that all online businesses — especially high-risk merchants with large enterprises — need to follow. So, what are you doing about it?
PCI compliance remains a major issue due to a series of cyber security incidents in recent years. Corporations like Verizon, Home Depot, Equifax, and Kmart have all been affected by cyber breaches of customers’ payment information. Consequently, protecting customers’ online security has never been more important for card-not-present merchants, big or small.
Now is the time to become PCI compliant if you are not already. If you are uncertain about your own web security, DirectPayNet will provide some guidance.
PCI compliance explained
The Payment Card Industry Data Security Standard (PCI DSS) is an information security framework applicable to all businesses accepting credit card payments. If your company stores and transmits cardholder data, PCI compliance is essential. Non-compliance fees from card providers are not the only risk factor but shouldn’t be the sole reason for complying. Concerns over basic non-compliance risks alone tends to motivate firms to institute PCI-DSS or other security controls to at least a minimum level.
The current state of PCI compliance
Despite significant business risks, few companies are in full compliance with PCI DSS. Verizon recently released a 2018 Payment Security Report. It was reported that nearly half (47.5%) of all companies assessed for compliance validation had faulty DSS controls. Simultaneously, the number of businesses adhering to PCI compliance appears to be decreasing year-on-year from 2016 to 2017.
(Source: Verizon 2018 Payment Security Report)
Moreover, Verizon found that the degree to which companies are failing their PCI compliance tests has been growing. Trends show it is back to levels seen in 2012 when familiarity with PCI DSS was less common and compliance was merely 11.1%.
(Source: Verizon 2018 Payment Security Report)
For the most part companies are largely doing the bare minimum data security protocols rather than thoroughly maximizing their cybersecurity protections. Fewer than one in five enterprises (18%) measure their PCI-DSS controls more often than the practice requires.
Liabilities associated with lack of PCI compliance
Acquiring banks and processors could impose more penalties on companies for nonconformance, including charges linked to insufficient data security controls. The goal is to prod businesses to become PCI compliant. PCI compliance fees are commonly around $8 per month, while non-compliance fees average $20 monthly. Not complying can be costlier should your business suffer a breach as you would be subject to hefty fines and may lose your merchant account if you were negligent. These types of fines (in addition to chargeback fees) ought to be prevented, so they do not reduce revenue.
Applicable rules and fees depend on the card network, your acquiring bank, geographical location of your business, and transaction volume. Fines hinge on the level of forensic research and recovery required by financial institutions. On top of that, the fallout from data breaches can cause severe financial stress or even bankruptcy. How much is your company willing to shell out on legal obligations and public relations?
The long-term effects of data breach
IBM’s 2017 Cost of Data Breach Study found the average total cost to businesses with a data breach was $3.62 million. The average cost per stolen record to a business was $141 as well as bad publicity and lost revenue. Additionally, the report found that one data breach increases the risk of another incident by 27.7% over the next two years.
The ongoing impact to your organization can be substantial should inadequate security result in a breach. This includes loss of customer loyalty, termination of bank and merchant accounts, and even placement on MATCH list. As a high-risk merchant you probably rely heavily on credit card processing for high volume and high-ticket items. PCI compliance is mandatory to protect your customers’ invaluable personal, confidential data.
Moreover, businesses large and small don’t realize that data has been compromised until weeks or even months after the violation. Smaller and mid-sized merchants are commonly targeted by cybercriminals, because security tends to be weaker in these companies.
In the US, PCI DSS is unenforced at the federal level, but many individual state laws do apply this policy. Merchants are responsible for ensuring they are compliant with the relevant laws in each jurisdiction where they conduct business.
What are your next steps for PCI compliance?
PCI compliance is routine for all online vendors. It is designed to implement and preserve a secure network, safeguard cardholder data, and establish strong access control measures. It is also meant to strengthen information security policy and uphold a vulnerability management program.
The PCI Security Standards Council offers a variety of assessment questionnaires to organizations. Only one requires completion, but the type will depend on how your company handles sensitive payment information. If you are currently processing orders from online buyers, chances are you passed a PCI compliance check when issued a merchant account. However, it is critical to review annually as payment and security technology changes very rapidly.
How secure is your checkout page?
Checkout page encryption is a vital aspect of PCI compliance. It is vital to the long-term trust of customers who enter highly sensitive information on your order page. Ensure all shoppers are notified of the required fields of information. If possible use one page to collect all data. Ensure your SSL certificate is renewed yearly and you are using the highest level of encryption possible. Update all versions of any software vital to your checkout process. Old editions can compromise your environment as hackers may have gained access through vulnerabilities. New software upgrades address vulnerabilities already taken advantage of by hackers.
PCI compliance and cyber security start with your checkout cart or CRM. The software platform you use to facilitate online purchases should be reliable and robust, with a proven track record for safe and secure buying capabilities. Additionally, most merchants do not consider if their CRM can synchronize with gateways and processors. Ensure the entire transaction flow from website to merchant account is uncompromised. All vendors handling collection of customer data or processing payments must possess a certain level of PCI compliance. Be prepared to present proof of security certificate(s) if requested by an acquiring bank.
Upgrade from HTTP to HTTPS
HTTPS encryption can only enhance the security environment of your company. If you have not done so already, upgrade from HTTP to HTTPS by acquiring an SSL certificate from your hosting provider. This encryption is one layer of protection against malware across major web browsers and other vulnerabilities. High-risk merchants can conduct monthly quality assurance by deploying select staff members (e.g. programmers) to test the buying funnel from CRM to thank you page.
Organizations should be self-motivated to maximize cyber defences and ensure data is safe, especially as online security is becoming increasingly precarious. Medium- to large-sized businesses often struggle to effectively manage their IT security, payments, risk and compliance in-house. Having a knowledgeable team of payment experts available is invaluable for day-to-day credit card processing. It is equally worthwhile for properly overseeing technology, risk, and compliance tasks associated with credit card acquiring. If you are experiencing these challenges in-house, it is time to connect with an expert.
DirectPayNet has a wealth of experience in payment processing. Our team will help you with PCI compliance and strategy development to secure all aspects of your high-risk organization. Email us to get one-on-one attention for your ecommerce business today.