Retail and PCI DSS Compliance
In today's card-centric business and consumer environment, millions of consumers and businesses utilise various types of payment cards to complete billions of retail purchases and transactions at the till, on the web, through the Post and over the phone. PCI DSS requires organisations to protect cardholder account information throughout the transaction lifecycle, from the point of sale, data transfer and storage of account information. Exa Networks can provide you with PCI Compliant solutions and and help to save you the pain and threat of incurring heavy fines.
More about PCI DSS
PCI DSS Compliance: Retailers and eCommerce websites
PCI DSS stands for Payment Card Industry Data Security Standard. With data losses and security breaches frequently reported in the news, ensuring that your customers are shopping in a safe environment is essential, whether this is at the till in your store or at your on line web site – not only to reassure your customers and increase sales, but equally for your own protection.
So what does that mean?
PCI DSS is effectively a risk assessment exercise for any organisation that collects sensitive customer information – namely debit or credit card details. If your business accepts cards – either online, offline, or at the till – you must be PCI compliant!
Depending on the volume of card transactions that you handle will depend on the process for becoming compliant. Most small businesses will fall below the initial threshold of 20,000 transactions annually (called level 4 merchants, in this case a self-assessment exercise should be all that is required).
More information will be available from your acquiring bank (such as Barclaycard Business or Streamline) on specific practices you should be adopting in your business. Visa have put together an information sheet with some essential information which you can download here: Visa PCI DSS Information Sheet.
What if I'm taking credit card payments at the till?
This all depends on how your EPOS system connects to the credit card clearing house. However, many retailers are now moving to EPOS over IP as this is a much faster and more cost effective method of carrying out transactions. This would usually be in the form of a broadband connection and a router connected to the till. The more traditional method of transactions being carried out over an ISDN line connects the till to the CC Clearing house by dialing directly into the clearing house system and therefore offers security. Transactions over IP are a much different matter due to the data being transmitted over the Internet. This is where PCI Compliance demands that certain criteria are met.
So what about your website?
If your website collects cardholder data, then it too must also be PCI compliant. To achieve PCI compliance for your website, the site must be independently scanned at least once a quarter (assuming you’re in the Level 4 category) for potential security vulnerabilities. Some scanning services will scan on a daily basis at random times for added peace of mind. You must remember though that simply passing a website scan does not make your business compliant – only your website.
So what can I do about it?
Well the top and bottom of PCI compliance is that if you collect, process or store cardholder information – your business must be PCI compliant. If your website also collects cardholder data, then this must also be PCI compliant.
We know that cost is a huge issue for small businesses, but just imagine a security breach and the potential cost to your business? The card companies have said that they won’t honour fraudulent transactions with non-compliant companies and they could pass the liability for any losses on to you.
There are six categories of PCI standards that must be met in order for a retailer to be deemed compliant.
Maintain a secure network
This standard refers to the actual network that cardholder data is exposed to. In the case of an online business, the most obvious vulnerability for this standard is the web server. Luckily, most hosting companies take responsibility for ensuring the security of their networks. However, there is more to this standard than meets the eye. Do you keep cardholder data (even just names) on a laptop that you use on public networks? Does your office network have a firewall installed and reasonable security measures in place?
In short, whenever any personal information about a cardholder is stored on a computer (which is also connected to a network), that computer must be behind a firewall and all reasonable measures have must have been taken to protect that particular network.
Protect Cardholder Data