The last thing anyone wants is to become a victim of fraud. Losing hard-earned money to a nefarious or ill-equipped website is still a fear for many Americans. In fact, in a survey on fraud in online shopping conducted by Paysafe, a leading global payments provider, researchers found that 59 percent of Americans believe fraud to be an inevitable part of online shopping.
Certainly then, ensuring customers feel secure when making any payments using credit cards is crucial to company success. Another survey on security measures conducted by Lost in Translation indicated that 71 percent of consumers are “open to the introduction of more secure payment processes such as two-factor authentication.”
As consumers demand quicker, faster, and more seamless payment experiences, financial technology (fintech) companies are getting into the payment processing game and trying to secure payment data as much as possible.
The bottom line is that if a company is accepting payments by card, that company or the third-party provider they use must be PCI compliant.
What Exactly is PCI?
PCI is the catch-all acronym most commonly used when referring to the Payment Card Industry Data Security Standard (PCI DSS). This information security standard is mandated by major card brands (Visa, Mastercard, etc.), but administered by the Payment Card Industry Security Standards Council. The PCI Standard was introduced to reduce credit card fraud and improve controls around cardholder data.
PCI Compliance 101
PCI Compliance is mandated by major card brands in order to use their payment methods. Compliance is validated either quarterly or annually through a firm-specific internal investigator known as an Internal Security Assessor (ISA), an external Qualified Security Assessor (QSA), or—for companies handling fewer transactions—by a Self-Assessment Questionnaire (SAQ).
The SAQ is further broken down in to categorical questionnaires based on the needs of the company. The PCI Security Standards Council indicates that there are two components to a Self-Assessment Questionnaire:
- A set of questions corresponding to the PCI Data Security Standard requirements designed for service providers and merchants.
- An Attestation of Compliance or certification that you are eligible to perform and have performed the appropriate Self-Assessment. An appropriate Attestation will be packaged with the Questionnaire that you select.
Both merchants and service providers must be PCI DSS compliant. Processing, handling, or storing credit card information whether through an online platform, over the phone, or in-person marks a need for PCI compliance.
Successful market strategist Chris Buculo suggests that PCI compliance is more than just a checklist, but should be approached holistically, listing three elements to PCI security, “it’s the software, it’s the hardware, and it’s the overall environment and the merchant environment that it’s being used in.”
An important element of understanding whether a company meets standards in software, hardware, and the overall environment is through performing a gap analysis test. This isn’t to say that the company will necessarily find gaping holes; nonetheless, a comprehensive assessment of potential vulnerabilities can indicate areas in which the company can bolster defenses.
All in all, payment facilitators need to ask themselves questions of scale and scope. Bucolo questions, “So you have to make that decision – is it better for your business model to have the larger scope and keep more of the risk and subsequent costs? Or does it make sense to outsource more and have a little bit less involvement and control over the process, but have a smaller scope and lower risk? Answering these questions and using helpful step-by-step guides on becoming PCI compliant from trusted security advisors like RSI Security will facilitate a much smoother process for any size company.
Why Should Payment Facilitators Become PCI Compliant?
It might seem that PCI compliance is nothing more than major card companies bullying vendors into relying on their services. However, credit card fraud is still prevalent, with the Federal Trade Commission consumer fraud report indicating that in 2018, there were 50,413 cases of credit card fraud resulting in a total loss of $131 million. The PCI Security Standards Council frequently updates PCI standards to help prevent against fraud and loss. These standards help protect consumers when making purchases with vendors both small and large—or even if the vendor should be using a payment facilitator in the process.
Chief Technology Officer Troy Leach commented that new security standards, “empower [payment facilitators] to make better decisions for their customers and have more informed conversations with their software providers. If the payment facilitator develops software in-house, the new security requirements will offer additional flexibility for how to demonstrate security effectiveness and diversity of applications that can be listed.”
PCI Compliance is empowering because it provides a level of trust between vendor and consumer, setting a precedent of reliable exchanges of goods and services. Additionally, not maintaining PCI compliance may result in credit card fraud, monetary loss, business revenue loss, or executives leaving posts.
Companies do not want to be branded as inept, poorly managed, untrustworthy, or careless. With the internet linking consumers to brands across the globe, differentiating products or services from other similar vendors is crucial to success. Meeting PCI compliance and thereby securing credit card transactions allow companies to focus on other elements of branding and customer loyalty.
Securing Mobile Networks
Vendors may use mobile applications to process credit card payments. It can be easier, quicker, and more efficient—especially for small vendors. Yet the PCI Security Standards Council indicated in their mobile payment security guidelines that most mobile devices (including smartphones, tablets, wearables, etc.) “do not meet security characteristics required by generally accepted information security standards.” Since mobile devices may be a joint effort produced by various software and hardware manufacturers, safeguards for one area of the mobile device may be present while non-existent for other areas.
The PCI Security Standards Council outlines three guidelines for protecting customer card data when using mobile devices.
- Prevent account data from being intercepted when entered into a mobile device. They offer this guidance: “ensure account data is appropriately encrypted prior to entry into a mobile device. This can be accomplished via a validated PCI P2PE solution.” PCI Point to Point Data Encryption (P2PE) encrypts data so that even if the transaction should be intercepted by hackers, the data would be illegible and useless. PCI P2PE as a solution is effective because it reduces fraud and saves the company time and money for compliance.
- Prevent account data from compromise while processed or stored within the mobile device. They offer this guidance: “Ensure that account data is only processed inside a trusted execution environment. A trusted execution environment may be accomplished through multiple technologies, and the level of security may vary accordingly. In order to prevent data leakage, account data should not be accessible outside a trusted execution environment.”
- Prevent account data from interception upon transmission out of the mobile device. They offer this guidance: “Ensure that account data is encrypted—i.e., using strong symmetric or asymmetric cryptography—per PCI DSS Requirement 4, prior to transmission out of the trusted execution environment of the mobile device. Ensure encrypted account data is transmitted from a trusted source.”
PCI compliance does not have to be complicated. The PCI Security Standards Council is actively engaged with vendors to ensure that consumer data is protected. Payment facilitators compliance with objectives and guidelines brands them as a trusted source for handling financial transactions. Maintaining a strong brand identity of trust is crucial in a landscape of new brands popping up every day promising the moon.
Companies that save themselves the negative consequences of financial loss, business revenue, or customer loyalty can instead focus on creating a worthwhile service or good that customers love.
Download Our PCI DSS Checklist
Assess where your organization currently stands with being PCI DSS compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.