PCI Compliance

What’s common between Target Stores, eBay, and PlayStation Network?

They’ve all been hit by some of the biggest data breaches in history. Millions of people who had used credit card details to transact with these companies had their personal information land directly in the hands of cybercriminals.

The bigger picture is even more chilling. According to The Nilson Report, in 2015 alone, credit card and debit card fraud set the global economy back by US$21.84 billion.

Take a moment to digest that.

As a business, you probably already appreciate that every single time a customer hands you their credit card details to honour a transaction, there’s more than just money exchanging hands. They’re also handing you their personal data and a host of other sensitive information.

This is the point where your compliance with the Payment Card Industry Data Security Standard (PCI DSS) becomes critical. Here’s what that means:

- Even if you are a business that accepts only one credit card payment in the entire year, you must comply with PCI standards.

- In the case of larger firms that have multiple eCommerce sites or business locations, each operating under a single tax ID, you would need to prove PCI compliance for each.

Before we move on to why your business should stay within the scope of PCI, let’s take a step back (for the benefit of the uninitiated) and address the most fundamental question.

What is PCI compliance and why do you need it?

PCI compliance is a universal security standard that defines how organisations should collect, store, process and transmit cardholder data safely and prevent fraud. If you accept any payments via credit or debit card over any channel, you need to be PCI compliant. If you want to learn more about online fraud, we recommend this read.

The PCI standard is managed and updated by the Payment Card Industry Security Standards Council, which is composed of leading card scheme providers such as MasterCard, Visa, and American Express.

The PCI standards cover any form of customer data, including but not limited to:

• Shopping carts and payment apps
• Card readers
• Point-of-sale systems
• Wireless access routers
• Systems that store or transmit payment card data
• Paper-based records such receipts

As is the case with many other industry standards, the number of PCI compliance hurdles you must successfully pass depends on how many payments you process per year. The different payment touchpoints your business uses can also change your compliance scope.

If you’re already using anti-fraud tools, like Velocity checks and other software, to secure your payment channels then you may be wondering what the difference between these checks and being PCI compliant is. The short answer is: a lot. PCI is entirely separate from fraud tools and ensures your system’s environment is totally secure for the storing, processing and transmitting of customer data.

There’s a well-established myth that if you’re using a payment gateway or payments facilitator to process payments then you’re automatically PCI compliant. This couldn’t be further from the truth. Your business should be evaluated for PCI scope when you’re onboarding with your chosen payment gateway.

The cost of PCI non-compliance can be staggeringly high in the unfortunate event that your business is affected by a data breach. We discuss this in detail below.

Note: We are only scratching the surface of PCI compliance here so if you want to read more, you can find their latest documentation here.

Size doesn’t matter for PCI compliance...or does it?

This brings us to the trickiest part of PCI compliance: It applies to any business that processes credit card payments, but it isn’t a blanket standard.

This is where knowing your compliance level helps. Depending on how big your annual run is, your business falls under one of these merchant levels of PCI compliance:

• Level 1 merchants: This is the highest compliance standard and is applicable to merchants who process over 6 million transactions annually, regardless of acceptance channel. Level 1 merchants need to pass a quarterly network scan and submit an Annual Report on Compliance. Not to forget other requirements such as an internal report and an attestation of compliance form...phew!
• Level 2 merchants: Any merchant processing between 1 million to 6 million card transactions in a year, regardless of acceptance channel. Many of the compliance requirements that apply to level 1 merchants also apply to level 2 merchants.
• Level 3 merchants: If you process 20,000 to 1 million transactions per year, you qualify as a level 3 merchant.
• Level 4 merchants: A business that processes fewer than 20,000 card transactions per year via any acceptance channel is covered under level 4. Level 4 also covers all companies that process 1 million Visa transactions annually.

Companies covered by Levels 2, 3 and 4, are required to complete a PCI DSS Self-Assessment Questionnaire every year. This may be in addition to undergoing a network security scan every quarter with an approved scanning vendor.

That’s not all! There’s always the chance that card providers may require a business that technically falls under Level 4 to adhere to Level 1 compliance depending on the nature of their business and the kind of data they deal with.

If you think that’s too much too handle, there’s good news: You can choose a gateway, like Bambora, which is PCI compliant to process your payments for you.

The consequences of noncompliance

Some of the things that could happen if you’re skimping on compliance, regardless of the size of your business, are:

• You could face penalties, which range from card replacements to hefty fines. You may also have to compensate for any forensic investigations the authorities deem necessary.
• Your business could undergo stringent audits by card providers and they may refuse to allow you to accept payments by card. Imagine how dreadful it would be to switch back to cash-only payments - impossible for an online business.
• More importantly, your customers would stop trusting you and this could deal a bigger blow to your brand.

Here’s an example to put things into perspective: If your company is not PCI compliant and a data breach occurs, credit card companies may slap your bank with a monthly penalty of $5,000 to $100,000. The bank will not shoulder this cost alone. It will be passed on to you! Then there’s also the risk of the bank terminating their contract with you or charging you higher transaction fees on account of the violations. There are also customer trust issues that could affect your business.

Now that you know why PCI compliance is important, let’s address some concerns that small, medium and large businesses usually have.

PCI compliance for small businesses

If you’re a small business owner, you might be thinking that because you’re operating a small online store, accepting a few credit and debit card every day, you’re out of risk from a data breach.

But here’s the fact: Accepting even a single credit card payment is akin to someone handing you the keys to their safety vault which houses all their money and valuables. If you fail to store these keys safely, you are unfortunately to blame if your business is successfully targeted and breached by fraudsters.

As a small business owner, it’s important to analyse whether you are prepared to pay heavy penalties for a breach not because you were personally at fault, but because you chose to process payments using an unsafe environment.

Let’s now look at this another way: If you process just 500 payment card transactions per year, you might think that the cost of PCI compliance doesn’t give you or your customer's proportionate benefit.

But…

Imagine that a breach occurred and cybercriminals stole data from 250 of the cards you’ve accepted. The 50% data breach will probably amount to enough to change the cost/benefit ratio as the proposed fees could be thousands or even millions of dollars. In addition to this, customers who had their data stolen will most likely shop elsewhere next time - the trust they put they put in you as a service will be gone.

PCI compliance for medium and large businesses

As a medium or large business, you might be thinking that because you’re already using state-of-the-art security software and the latest IVR technology, you’re covered.

For SaaS-based eCommerce stores who do not need access to cardholder data, the need for PCI compliance is relatively low, but a secure payment gateway is still indispensable. However, many large organisations expose themselves to a breach by thinking that they’re too massive and technologically advanced to worry about PCI compliance, which is “just another” industry standard.

It’s true that managing PCI compliance is an ongoing cycle in large organisations who have to undergo annual audits and quarterly checks, which can put a strain on manpower and resources. But it’s all completely necessary.

Looking again in the case of Target Corporation, which saw cybercriminals wipe clean over 40 million debit and credit card details. Investigating experts found that the breach was more the result of a failure to implement PCI standards than a failure of the technology itself.

In other words: If it can happen to some of the world’s most established companies, it can happen to anyone!

As a Level 1 organisation, here’s another point to consider: PCI non-compliance fines are usually directly proportional to how many card records were breached. For a large organisation that potentially deals with thousands of transactions every single day, the outlook isn’t too positive!

The bottom line

If you’re struggling with PCI compliance, know that you’re not alone. At Bambora, our job is to make it easy for companies in Australia and New Zealand to protect their valuable customer data by using the latest and best industry standards.

We are Level 1 PCI compliant, which is the highest and most secure rating. So when you choose us, you can rest assured that your data will be protected at all times and you don’t have to worry. Our friendly team is here to help you learn more about a PCI solution that will fit your business.