Anyone that takes a transaction online is an online retailer and affected by the PCI DSS (Payment Card Industry Data Security Standards). Therefore, anyone that takes an online transaction is responsible for the security of their client’s data. What are those restrictions? How should credit card data be treated? With caution.
Many years ago, it was common to have a credit card payment page where half the credit card details were emailed to the vendor and the other half were stored (usually unencrypted) on the website server, where the vendor would retrieve them via a password. This was simple and effective, but not especially secure and is certainly no longer acceptable practice. There are still many online businesses accepting credit card details via forms, which may have a secure connection but then send entirely unencrypted credit card details via email. Potentially, this can leave a record of customer credit card details on every email server that the information passes through and could be easily intercepted.
It is essential that you really consider whether you need to hold credit card data. Online consumers are used to having to enter their card details every time, and although some large retailers (eBay, Amazon etc) do store data for use later, they are extremely tightly controlled and spend millions on protecting that data.
Trust and International Standards
Although consumer trust is rapidly increasing with e-commerce, people remain flighty. Anything that ‘doesn’t quite look right’ will instantly turn customers away, as will known security failings. The padlock symbol and additional “s” on a page are well known security essentials and the vast majority on consumers are well aware of these and will not buy without them.
The Payment Card Industry Data Security Standards (PCI DSS) were launched in 2006 to ensure that the industry standards continued to grow consumer confidence in purchasing online, and their regulations apply to all websites that take a transaction, large or small, frequent or one off. If you accept credit card payments, you are automatically accepting the PCI terms.
A worldwide standard designed to allow businesses to process card payments securely, and to instil confidence in online purchasing, the Payment Card Industry Security Standards Council (PCI SSC) places tight controls on the rules surrounding the storage and use of card holder data. These rules apply to any website that takes any form of payment online; regardless of the frequency, or size of transaction.
Contents of the PCI DSS
There are six main categories that the PCI SSC focus upon, and that must be adhered to by all online retailers. These include maintaining a secure network through firewalls and secured passwords, maintaining a vulnerability management program, implementing, and maintaining strong access control measures by restricting access to data, and assigning personal IDs, and monitoring test networks. Protecting card holder data is the last key pillar of PCI SSC compliance.
Protecting card holder data has two main sections; encryption and encrypted transmission of card holder data. most data breaches in ecommerce, and especially the breaches that make the news, are within this area, and it is essential, not just legally, but also for consumer confidence, that you are fully compliant with PCI regulations, and that the data is safe.
Your website and the PCI
The regulations and your strategy, focus on separating systems. In reality, if card details are required to be stored, using a merchant service is advised, allowing the legal, and ethical responsibility to be held by industry professionals, rather than try to navigate the murky world by yourself.
What is card holder data? The definition of a card holder data is the Primary Account Number, alongside any further data, whether it is the card holder’s name, the card expiration date or service code. PINs and security codes are also covered by the definition of ‘card holder data’.
While legally, a merchant is entitled to display “the first six and the last four digits” of a PAN, there is rarely any reason to do this. this does not supersede national legislation. It is vital that local laws are understood above and beyond the PCI DSS. Data should be encrypted immediately upon taking it, with even your own staff unable to see the data specifics.
What are the consequences of non-compliance?
Like many things in life, the proverbial dung rolls downhill. Credit card companies may fine any acquiring bank US$5000 to US$100,000 per month for breaches of the PCIDSS. This means that if your poor security allows hackers access to all your client’s credit card details, your bank may be fined. Call me cynical, but I suspect that if you mess up and your bank is penalised, they won’t value their relationship with your business the same way as before and just let it go. Most likely, they will seek to pass the fines and their own costs onto the merchant and quite possibly sever their relationship with you and cancel your credit card facility. At the very least, they will immediately suspend your credit card facility until the security breach is addressed.
The simplest, cheapest and safest way to take credit card details is to use a third party provider. This removes much of the responsibility from you, as you never actually receive the credit card details and do not need to store them. However, you are still need to ensure that your website is kept updated and secure to prevent hacking, which may provide access to redirect customers to false payment pages.