If your business accepts, or is considering accepting, credit or debit card payments, then you may have come across PCI-DSS
PCI-DSS stands for the Payment Card Industry Data Security Standard. It describes how your company must protect the credit and debit card details your customers provide when they purchase goods or services from you.
Although PCI-DSS can seem confusing at first, most smaller companies find it fairly straightforward to comply with the rules. There’s plenty of support and guidance available too, both online and from banks and payment providers.
What is PCI-DSS?
“PCI-DSS was created by the payment card industry,” explains Mark Kedgley, chief technical officer at New Net Technologies, a global provider of data security and compliance solutions.
“The industry wanted to create a standard to protect card data, in order to reduce losses from fraud and data theft,” he continues. “All merchants that take payment by card are subject to this standard, and so are the banks that process payments. Fundamentally, if you’re taking card payments then you’re subject to PCI-DSS.”
If you think PCI-DSS might affect your business, don’t ignore it. You can be fined or even stopped from taking payments altogether if you don’t take steps towards meeting the requirements.
Having said that, it’s relatively unusual for serious sanctions to be taken against companies that don’t comply. “Ultimately, banks and payment providers want card payments to go through, because they make money that way,” says Mark. “Rather than cutting you off, they tend to assert increasing pressure to get you to comply.”
“At the same time, keep in mind that every day you handle cardholder data without adopting PCI requirements is a gamble with your customers’ personal information and the trust in your brand.”
What does PCI-DSS require your business to do?
To comply with PCI-DSS, your company must meet 12 requirements that describe various aspects of how you hold and process customers' card details. To prove their PCI-DSS compliance, most smaller companies simply have to fill in a self-assessment form available from the PCI Security Standards Council website.
“It’s a declaration,” confirms Mark. “What kind of merchant you are determines which self-assessment form you have to fill in. PCI-DSS is policed much more strongly for big companies that may hold and process card details relating to millions of customers.”
If your business only uses customer card details to take one-off payments, then meeting PCI-DSS is likely to be straightforward. However, if you store customers' card details in order to take future payments, or transmit that data elsewhere, that’s when it can become more arduous.
Many companies opt to sidestep PCI-DSS by relying on a trusted supplier. “Using third-party services like PayPal or WorldPay is a good way to make PCI-DSS simple, because you can pass the burden of compliance on to the supplier,” elaborates Mark. “The downside is the extra cost to process each transaction.”
How PCI-DSS works in practice
Complying with PCI-DSS really isn’t that different to taking other sensible security precautions, except that the standards you must achieve are set by a third party. Much of what you need to do simply follows good security practice - so you’d probably be doing it even if PCI-DSS didn’t exist.
“If you’ve got people taking card details to sell products, learn the basics of good security,” explains Mark. “Don’t write down customer’s card details or store them in unprotected spreadsheets. Think about how you would want a retailer to treat your card details and apply the same standards.”
It’s wise to consider PCI-DSS as part of your overall security policy, rather than as a separate issue. “Consider how to secure all your data,” continues Mark. “Nobody knows how your business works better than you, so you can understand where the biggest security risks lie.”
You’ll probably find your bank or payment provider willing to offer help and advice, too. “Talk to your bank,” advises Mark. “You can explain how you take card payments, and they can provide advice on how to do so securely.”
If total compliance seems like an unattainable target, break the process down and first take steps to identify and address the biggest risks to customer’s card details.
“Your bank or payment provider will be keen for you to show progress towards full compliance, and should be willing to help you along that road. It’s only if you bury your head in the sand and do nothing that you risk fines or other sanctions.”
Browse topics: The internet