The largest credit card companies have established a security standard that is used to protect credit card transactions. This standard, known as the PCI DSS, or Payment Card Industry Data Security Standard, has placed increased pressure on merchants to comply. Both large and small merchants, who process credit card transactions, particularly over the web, must have their processes and systems reviewed with a security specialist that is qualified. Some businesses also have the option of submitting a questionnaire where they will be graded. The problem with this questionnaire is that it is self-assessed, which can lead to misleading results.
Consequences of Non-PCI Compliance
Merchants that choose not to comply with PCI standards may suffer severe consequences. In addition to leaving themselves more vulnerable to fraud and cyber theft, they could be hit with huge fines for negligence, which can run from tens to hundreds of thousands of dollars. Even worse is the negative publicity and loss of confidence that customers will have.
When you consider the fact that these fines would wipe out most small or medium sized businesses, it shows you the seriousness of the situation. Also, merchants that claim not to store sensitive information, but who actually do, will be held liable if this information is compromised.
Basic Security Measures
Many of the PCI measures are simple safeguards, such as ensuring a firewall is used between the merchant’s internet connection and the system which holds the credit card data. Network equipment will come with default passwords; obviously merchants will need to change them. It is the responsibility of merchants to make sure they protect whatever credit card data they receive from customers. Additionally, some sensitive information should not be stored at all, such as the complete information located on the magnetic strip.
A number of smaller businesses are under the misconception that PCI standards don’t apply to them, due to their size. In reality, PCI applies to any business that conducts credit card transactions. While it may be possible for smaller merchants to reduce the burden that is involved with compliance, ignoring it completely can be dangerous. A common complaint among merchants is that complying with PCI is too tedious and expensive. However, PCI should be considered the minimum that is needed to protect both merchants and their customers.
Alternative Security Methods
A merchant who is unwilling or unable to be PCI compliant should not be managing credit card transactions at all. However, there are alternative options available. Merchants who desire to conduct credit card transactions without worrying about PCI can place the burden on service providers that will do the secure payments for them. Examples of such services include Authorize.net or PayPal. These companies are an excellent alternative because they allow merchants to sell goods by forwarding their customers to sites where they can securely pay with their credit card, without the headache of needing to be in compliance with PCI. In fact, merchants that use these aggregators can often process credit card payments without seeing the credit card numbers themselves.
Need to find more answers about safety and security? Here are some of the commonly asked questions: