Tag: PCI compliance

FAQ Fridays: We Failed Our PCI Compliance Scan

Q: Hello, my company recently failed our PCI compliance scan.

Three months ago, my small business (an online dating product) launched. I got a merchant account for credit card processing. My merchant statement has a PCI non-compliance monthly fee. I’m being charged $30 a month for this. This wasn’t a big deal to me until my credit card processor kept asking for proof that we were PCI compliant. We performed a PCI compliance scan, but we failed it.

How do we pass it so we can be compliant and not risk our payment provider shutting us down?

A: Well, first of all it’s rare that a payment provider will shut down a merchant’s payments because they failed a PCI compliance scan.

Your payment processor may hold your payments. They may also charge you a PCI non-compliance fee. But shutting you down entirely is an extreme case unless you have a massive data breach. Violations could result in penalties that are as little as $20 to a whopping $10,000 per month.

Let’s start by explaining a few things first.

What is PCI compliance?

The information security framework Payment Card Industry Data Security Standard (PCI DSS) applies to any business accepting credit card payments. What they want is to ensure e-commerce businesses that facilitate credit card transactions do not have any weak points in their technical environment. They want to ensure online consumers are entering their personal information into a protected website and secure network. Hence, payment processing companies requesting PCI compliance.

Merchants either ignore this or give up and pay the PCI non-compliance fees. The biggest reason is because they have no clue what it is or don’t understand it. Another reason is because they think that they’re compliant if they use a third-party shopping cart or CRM to transact.

You may outsource this part of your online business. But that doesn’t mean that you don’t need to meet data security standards. PCI compliance is a little more complicated than that.

Get help from your developer and the approved scanning vendor to pass your PCI compliance scan.
Photo by Christina Morillo from Pexels

It’s your e-commerce business’s responsibility to be compliant

The PCI Security Standards Council (PCI SSC) must approve every aspect of your e-commerce environment. Online business owners must ensure that their CRM, their shopping cart, their payment gateway and their merchant account is all PCI compliant. When credit card companies give you the privilege of accepting online credit card information you need to respect their set of rules.

Say you collect cardholder data at your checkout. Let’s say you capture $1 million worth of orders via American Express, Visa and Mastercard credit and debit cards each month, on top of other personal details. It’s your responsibility to prevent personal information from being stolen. Or, it can result in a data breach. Make every effort to pass your PCI scan if you’re asked to do so. Any vulnerabilities in your payment processing channel could spell big trouble.

PCI DSS is standard requirement for all online businesses. It doesn’t just protect card brands and merchant account providers in the event of liability (e.g. a security breach). Meeting payment card industry data security standards protects your business too.

A PCI scan isn’t mandatory for every online company

Not every merchant must perform a PCI scan. There are different questionnaires and scan of different levels based on an e-commerce setup.

For example, some merchants may only need to fill in one self-assessment questionnaire known as SAQ or SAQ-EP. This is required when you use a third-party shopping cart or CRM. Examples of these tools include using ClickFunnels, Konnektive or Sticky.io for your checkout. No customer data is stored in your environment in these scenarios.

Most merchants fall into the above category. But keep in mind that collecting information which is passed to a third-party to be stored also carries a risk of a data breach. Your checkout process is capturing a lot of customer information. Vulnerabilities can be present when those details are sent to a payment gateway or CRM for storage.

The type of data you’re collecting warrants having a privacy and security policy. This information should be published on your website. It should be visible to all visitors agreeing to interact and transact with you. This is why your provider asked for proof of a successful scan.

The good news is that it’s not unusual to fail a PCI compliance scan and it can be easily corrected. All you need is help from your developer and the approved scanning vendor that facilitated the scan. Review the scan results. Then you work to correct all the areas where the scan indicates you failed. That means that there are vulnerabilities in your technical environment and your developer simply needs to fix them.

Here are a few questions you might want to ask before your next scan:

Do you know if your security protocols are outdated? Check to ensure you have the latest SSL certificate and encryption standards. Many issues for PCI get resolved if you mainly rely on third-party payment gateways and shopping carts from PCI approved vendors. Renew your certificate annually.
Does your technical environment provide high-level data encryption to make it difficult to breach your users’ personal data?
Are any software or plugins installed on your back-end stopping the scan from performing successfully? If so, you might want to remove the conflict.

Your merchant bank should offer you more information about PCI DSS compliance. But, sometimes they don’t know much about it themselves. Unfortunately, they don’t provide merchant support with meeting PCI requirements. This is a shame. Being non-compliant only adds more processing fees to your monthly statement. It puts you in a bad position with your payment provider.

If you want to know more about PCI compliance, check out everything you need to know from our blog post on the subject here.

In the meantime, if you need a knowledgeable merchant services provider to help you secure more payments, you’ve come to the right place.

Reach out to our team. We can help you apply for a merchant account or other payment processing for your online business. Contact us here.

August 28, 2020
Website Compliance: The Secret To Getting Approved For Payments
Merchants, just how familiar are you with website compliance? From PCI compliance to privacy and shipping policies to terms and conditions to pricing disclosures. These are a few enforcements that come to mind when setting up an online business.

A lack of knowledge about website compliance can cost you a lot of money. It can also be time consuming and confusing to adhere to these types of policies. Worse, your merchant application could be declined, because your website is not compliant or secure.

Payment processors conduct periodic reviews of merchant websites. Thus, merchants can face penalties for not adhering to the latest standards. For example, a processor may freeze your account or terminate your agreement.

In this blog post, we’ll review full-proof ways to ensure your website is compliant. We will also help you avoid common mistakes that can cost you dearly. Website compliance should be top of mind to ensure you’re operating legally and within the norms expected by your payment provider. It doesn’t matter if you’re a start-up or a seasoned online seller.

PCI Compliance

PCI DSS compliance is a big deal! Of utmost importance is ensuring you’re protecting customer data. And, coupled with an SSL certificate for your finished website. Data leaks occur during a breach or ignoring crucial security patches in your software or WordPress platform. You are responsible for customers data leaks. This is regardless of your intention.

Thus, take every measure to ensure your network infrastructure. Additionally, update all software to prevent vulnerabilities. Encrypt hosted checkout pages with a minimum 256-bit encryption standard. Also, check that your checkout page is using TLS 1.2 or higher, particularly to guard any data sent to your gateway.

Does this all sound Greek to you? Contact your payment or gateway service provider for requirements on your checkout page. If you prefer not to deal with this, you can decide to use a hosted page provided by your payment processor.

Most merchants avoid this. It tends to lead to lower conversions, because buyers get redirected to another page to enter payment info. Building a secure order page will serve you well. It will also ensure access to your customers’ data for future marketing purposes.

ASV scans and SAQ questionnaires

While building your website, you can use an approved ASV scanner. This will scan your website. I can list all potential vulnerabilities you can fix before going live. A quarterly scan will ensure you are doing your best to stop data breach threats. The PCI council has a list of approved vendors.

Scans are inexpensive and fast. Performing one shouldn’t be an issue for your business. The PCI council offers self-assessment questionnaires based on a merchant’s exact business case. They can serve as a guide for what’s needed to ensure your website is secure and compliant according to most recent data standards. At first, each questionnaire asks a few simple questions to learn which PCI self-assessment questionnaire is right for you. In our experience, most merchants providing goods or services online use the SAQ-A or SAQ-A-EP questionnaires. A full list of questionnaires are available here.

Website Compliance Cheat Sheet

So, you apply for a merchant account. But, as you’re ready to start trading and gearing to go live, your application is declined. Payment providers often reject applications due to website compliance issues without further explanation. Most of the larger third-party providers like Stripe and PayPal decline applicants with little information.

Ensure your website is fully compliant. Acquirers or payment facilitators like Stripe go through a rigorous compliance checklist to ensure your website is secure. Use the following as a reference before applying for your next merchant account.

Page footer

Your page footer should remain static through the customer experience to ensure customers can navigate to legal and regulatory facts about your website and business at any time. As such, ensure to have the following five elements in your website’s footer.

1. Terms and conditions

Gone are the days of copying another website’s terms and making them your own. Underwriters review and read these to ensure they make sense and are applicable to your website and business model. This doesn’t have to cost you thousands. Many legal websites can provide a quick and personalized terms sheet for your business. It’s important to include product pricing, company name and address as well as legal jurisdiction within your terms and conditions.

2. Privacy policy

Your customers’ data is valuable and important. Ensuring its security and not sharing it with external parties should be imperative for you. Shared information should be limited to parties fulfilling customer orders. Outline steps you take to ensure your customers’ privacy is protected and explain the laws you are following depending on your jurisdiction. Remember, if you have European customers, the laws are stricter than North American ones and you will need to abide by GDPR for all your European customers even if your company is not within the EU. Here’s a quick guide to GDPR standards

3. Customer support

Having a link that can easily allow your customers to reach out to you will build loyalty and lower your risk of chargebacks. A win-win! Make sure your customers can find how to reach out to you easily and through various communication methods such as phone, email, chat, Skype or even what’s app!

4. Shipping policy and returns

Give consumers confidence in knowing that buying from you is safe and their satisfaction is important to you. Providing a minimum of 30 days to return a product should be standard practice. Customers need time to receive, try out and return your product. In fact, longer return periods help in increasing consumer loyalty and sales. This is because customers feel less pressured to make a decision and may eventually forget to return the item. It’s important to include the standard delays your customers should expect to receive their package, whether you’re shipping locally or internationally. Test your fulfillment channel to avoid surprises that trigger chargebacks should customers not receive their products in the delays you quote.

5. Company name and mailing address

In every website footer always display your company name and mailing address at the bottom of your page. This information should match your company’s registration information.

Checkout Page

Your checkout page should include the following elements:
- Clear and descriptive pricing above the buy now button.
- Ensure you detail all terms of purchase. And, if you have any recurring charges be very clear on when and how much the customer will be charged. Visa is updating its policies for free or discounted trial subscription merchants. So, read more from our previous post on how to prepare.
- State the currency for international sales. Chargebacks can occur because of a misunderstanding as simple as a specific dollar amount. The $ sign is commonly used in the US, Australia and Canada. But, $60 in USD is not the same CAD.
- A checkbox, as customers must click to accept the terms and conditions, and price of your product.
- A descriptor that states what customers will expect to see on their credit card statement. Make sure there is no confusion upon seeing a charge.
- Credit card network logos, security badges and other trust symbols.
After-sales support

Once your customer buys your product, you’re done with the sale process, right? Nope! After-sales support and communication is part of your compliance requirements. This includes the following:
- Provide customers with a transaction receipt by email. Include all important details they need including tracking numbers, shipping delays and, of course, a link to your contact information. As of April 2020, Visa will enforce merchants with a subscription product or service to provide customers a link where they can easily cancel. A merchant must communicate to their customer at least seven days prior to charging the subscription fee. This is regardless of whether you’re selling supplements, a digital info product or a dating membership, for example.
- Ensure your customers can call and talk to a support agent most hours of the day. If you’re located in the US, but most of your customers are European, adjust your hours of operation. Also, offer email and chat support with reasonable delays for responses.
No matter how big or small your business is, data breaches can be costly, because of potential fines and loss of customer trust. Follow the tips above and work with a reputable merchant account provider such as DirectPayNet.

As experts, we help ensure you’re adhering to website compliance standards. You will receive invaluable advice to keep your business safe. Contact us today to discuss PCI and website compliance.
January 30, 2020
PCI Compliance: Don’t Risk Your Business Ignoring This Important Protocol

Not adhering to PCI compliance security guidelines is putting your company at increased risk of a credit card data breach. This is a critical topic that all online businesses — especially high-risk merchants with large enterprises — need to follow. So, what are you doing about it?

PCI compliance remains a major issue due to a series of cyber security incidents in recent years. Corporations like Verizon, Home Depot, Equifax, and Kmart have all been affected by cyber breaches of customers’ payment information. Consequently, protecting customers’ online security has never been more important for card-not-present merchants, big or small.

Now is the time to become PCI compliant if you are not already. If you are uncertain about your own web security, DirectPayNet will provide some guidance.

PCI compliance explained

The Payment Card Industry Data Security Standard (PCI DSS) is an information security framework applicable to all businesses accepting credit card payments. If your company stores and transmits cardholder data, PCI compliance is essential. Non-compliance fees from card providers are not the only risk factor but shouldn’t be the sole reason for complying. Concerns over basic non-compliance risks alone tends to motivate firms to institute PCI-DSS or other security controls to at least a minimum level.

The current state of PCI compliance

Despite significant business risks, few companies are in full compliance with PCI DSS. Verizon recently released a 2018 Payment Security Report. It was reported that nearly half (47.5%) of all companies assessed for compliance validation had faulty DSS controls. Simultaneously, the number of businesses adhering to PCI compliance appears to be decreasing year-on-year from 2016 to 2017.

(Source: Verizon 2018 Payment Security Report)

Moreover, Verizon found that the degree to which companies are failing their PCI compliance tests has been growing. Trends show it is back to levels seen in 2012 when familiarity with PCI DSS was less common and compliance was merely 11.1%.

(Source: Verizon 2018 Payment Security Report)

For the most part companies are largely doing the bare minimum data security protocols rather than thoroughly maximizing their cybersecurity protections. Fewer than one in five enterprises (18%) measure their PCI-DSS controls more often than the practice requires.

Liabilities associated with lack of PCI compliance

Acquiring banks and processors could impose more penalties on companies for nonconformance, including charges linked to insufficient data security controls. The goal is to prod businesses to become PCI compliant. PCI compliance fees are commonly around $8 per month, while non-compliance fees average $20 monthly. Not complying can be costlier should your business suffer a breach as you would be subject to hefty fines and may lose your merchant account if you were negligent. These types of fines (in addition to chargeback fees) ought to be prevented, so they do not reduce revenue.

Applicable rules and fees depend on the card network, your acquiring bank, geographical location of your business, and transaction volume. Fines hinge on the level of forensic research and recovery required by financial institutions. On top of that, the fallout from data breaches can cause severe financial stress or even bankruptcy. How much is your company willing to shell out on legal obligations and public relations?

The long-term effects of data breach

IBM’s 2017 Cost of Data Breach Study found the average total cost to businesses with a data breach was $3.62 million. The average cost per stolen record to a business was $141 as well as bad publicity and lost revenue. Additionally, the report found that one data breach increases the risk of another incident by 27.7% over the next two years.

The ongoing impact to your organization can be substantial should inadequate security result in a breach. This includes loss of customer loyalty, termination of bank and merchant accounts, and even placement on MATCH list. As a high-risk merchant you probably rely heavily on credit card processing for high volume and high-ticket items. PCI compliance is mandatory to protect your customers’ invaluable personal, confidential data.

Moreover, businesses large and small don’t realize that data has been compromised until weeks or even months after the violation. Smaller and mid-sized merchants are commonly targeted by cybercriminals, because security tends to be weaker in these companies.

In the US, PCI DSS is unenforced at the federal level, but many individual state laws do apply this policy. Merchants are responsible for ensuring they are compliant with the relevant laws in each jurisdiction where they conduct business.

What are your next steps for PCI compliance?

PCI compliance is routine for all online vendors. It is designed to implement and preserve a secure network, safeguard cardholder data, and establish strong access control measures. It is also meant to strengthen information security policy and uphold a vulnerability management program.

The PCI Security Standards Council offers a variety of assessment questionnaires to organizations. Only one requires completion, but the type will depend on how your company handles sensitive payment information. If you are currently processing orders from online buyers, chances are you passed a PCI compliance check when issued a merchant account. However, it is critical to review annually as payment and security technology changes very rapidly.

How secure is your checkout page?

Checkout page encryption is a vital aspect of PCI compliance. It is vital to the long-term trust of customers who enter highly sensitive information on your order page. Ensure all shoppers are notified of the required fields of information. If possible use one page to collect all data. Ensure your SSL certificate is renewed yearly and you are using the highest level of encryption possible. Update all versions of any software vital to your checkout process. Old editions can compromise your environment as hackers may have gained access through vulnerabilities. New software upgrades address vulnerabilities already taken advantage of by hackers.

PCI compliance and cyber security start with your checkout cart or CRM. The software platform you use to facilitate online purchases should be reliable and robust, with a proven track record for safe and secure buying capabilities. Additionally, most merchants do not consider if their CRM can synchronize with gateways and processors. Ensure the entire transaction flow from website to merchant account is uncompromised. All vendors handling collection of customer data or processing payments must possess a certain level of PCI compliance. Be prepared to present proof of security certificate(s) if requested by an acquiring bank.

Upgrade from HTTP to HTTPS

HTTPS encryption can only enhance the security environment of your company. If you have not done so already, upgrade from HTTP to HTTPS by acquiring an SSL certificate from your hosting provider. This encryption is one layer of protection against malware across major web browsers and other vulnerabilities. High-risk merchants can conduct monthly quality assurance by deploying select staff members (e.g. programmers) to test the buying funnel from CRM to thank you page.

Organizations should be self-motivated to maximize cyber defences and ensure data is safe, especially as online security is becoming increasingly precarious. Medium- to large-sized businesses often struggle to effectively manage their IT security, payments, risk and compliance in-house. Having a knowledgeable team of payment experts available is invaluable for day-to-day credit card processing. It is equally worthwhile for properly overseeing technology, risk, and compliance tasks associated with credit card acquiring. If you are experiencing these challenges in-house, it is time to connect with an expert.

DirectPayNet has a wealth of experience in payment processing. Our team will help you with PCI compliance and strategy development to secure all aspects of your high-risk organization. Email us to get one-on-one attention for your ecommerce business today.

October 31, 2018