Why PCI Compliance is Worth More than its Weight in Gold

Wednesday, October 22, 2014

Cybersecurity is a big deal, and with the recent data breaches hitting Target and Neiman Marcus Group, it's getting bigger. Consumers are more concerned than ever about the security of their personal and financial information. As a publisher, protecting your customers’ data is paramount to your success in eCommerce. So, let’s talk about PCI compliance. 

Providing the safest online transaction possible (and evidence of it) is what gives your customers confidence in purchasing from your site. That’s where PCI compliance comes in.

PCI Compliance: Background

Mandated since 2001, Cardholder Information Security Program (CISP) certification is intended to protect Visa cardholder data, wherever it resides, ensuring that members, merchants and service providers maintain the highest information security standard. CISP is what drove the establishment of the Payment Card Industry (PCI) Data Security Standard in 2004. Developed from a joint initiative of Visa, Mastercard, Discover and American Express, in response to the growing severity of credit card theft, the goal was to protect all cardholder data, wherever it may reside. As a result, the PCI created industry-wide standards for card data security to be followed by both merchants and providers.

1)   If you sell anything online and accept credit cards as a form of payment, you MUST be PCI compliant.

2)   If you are using a hosted solution, your provider must be (CISP) certified and appear on Visa’s approved list. 

3)   Non-compliant merchants risk class action lawsuits that can result in up to $10,000 in monthly fines, up to $500,000 in fines (per incident) and/or losing the ability to process transactions altogether.

The Value of PCI Compliance

PCI compliance is not cheap. It requires a fair amount of capital to review procedures affecting data security, documenting said procedures, and auditing processes periodically.  For publishers large and small, it's a daunting task, sucking away resources otherwise focused on management and development. But, the cost of not being PCI compliant is far greater.

What’s a publisher to do?

The simple answer is to find a hosted eCommerce system, shopping cart, and payment processor that are already PCI compliant. Outsourcing can offer you significant savings and greater peace of mind. But of course, you don’t want to blindly accept that they are PCI compliant. You need to know what to keep at top of mind when addressing PCI compliance:

  • Gaining compliance isn’t just about having the capital to complete the certification process. It’s also about having the knowledge and talent/skill to code and configure the elements required for a secure platform.
  • A good provider will easily present proof of certification.
  • PCI compliance will be clearly displayed on provider websites, so that users can easily recognize the level of security.
  • Look for a platform that focuses on speed, scalability and reliability for your website. It’s an indication that the provider crosses their “t’s” and dots their “i’s” to ensure that they have a solid infrastructure to support economy of scale for their clients.
  • Security should go beyond compliance. Strong providers seek annual third-party audits, to ensure they are compliant. They also have off-site back ups.
  • A reliable provider will focus on the latest tools including:

Clustered databases and application servers

Robust caching

Data center redundancy

Bandwidth diversity and;

Cisco-powered networks.

PCI compliance doesn’t have to cost you an arm and a leg— but you can’t put a price on what it will save you.