The Hidden Challenges of Proper PCI Compliance

March 27th, 2019
Estimated read time: 5 minutes, 21 seconds

In the past couple years we’ve seen an uptick in ecommerce as more customers look to complete their shopping experiences on the web. As the online shopping trend continues to grow, it shouldn’t come as a surprise to hear that more customers are taking a greater interest in how merchants handle their payment information.

Whether it’s localized shopping experiences or data security, your software company needs to make sure that you’re continuously meeting the ever-changing needs of today’s shoppers to ensure that they continue to shop on your online store.

Fortunately, beefing up the security on your site isn’t rocket science. Guidelines like PCI DSS help serve as the framework for securely accepting, transmitting, and storing sensitive personal data. Understanding the basics of Payment Card Industry Standards is fairly straightforward, but maintaining full compliance can be challenging. And if you don’t get it right, your company is subject to fines, termination of credit card acceptance, lost sales, legal costs, and an uncertain future in ecommerce.

Here are some things to keep in mind to help your software company avoid the headaches of not being PCI DSS compliant.

Overview of PCI DSS

Does my software company need to be PCI compliant?
Short answer – yes.

Shoppers complete their transactions on your site because they trust that your online store is securely handling their payment information. In order to protect your customers’ trust and encourage them to continue to patron your site, your company must be PCI compliant.

The Payment Card Industry Data Security Standard applies to all companies that handle cardholder data, regardless of their size. If you’re selling your software or services on the internet, there’s probably a good chance that your company is already handling sensitive customer data!

PCI standards not only minimize the risk of debit and credit card data loss but also ensures that companies are operating in a secure environment. To effectively do this, PCI DSS guidelines feature 12 requirements that cover network security, program vulnerability, access control, monitoring, information security policy, and data protection. By requiring online merchants to adhere to strict protocols around data security from the start, PCI DSS aims to protect users from payment card fraud before it happens.

PCI DSS compliance is enforced by the PCI Security Standards Council. This governing body includes international payment card brands like Visa, MasterCard, American Express, Discover, and JCB.

How Merchant Levels define PCI Compliance

First, what exactly is a merchant?

Online merchants have very similar responsibilities to their brick and mortar counterparts. While online sellers are predominantly concerned with buying and selling products, merchants have increased responsibilities that extend beyond inventory management. Online merchants must also worry about promoting their product, increasing conversion rates, and managing the entire financial process.

The Payment Card Industry uses merchants levels to determine risk and ascertain the appropriate level of security controls necessary for each online business/merchant.

These levels range from Level One to Level Four, with each merchant level having different requirements for ongoing compliance. Level one is reserved for merchants that process the highest amount per year and level four is for merchants that process the smallest amount.

  • Level 1 – Over 6 million transactions annually
  • Level 2 – Between 1 and 6 million transactions annually
  • Level 3 – Between 20,000 and 1 million transactions annually
  • Level 4 – Less than 20,000 transactions annually

Merchants should be careful to remember that they can also be escalated to a higher level based on factors other than volume. The primary reason for escalation is a breach that resulted in an account data compromise. So if you experience a data breach, get ready. You’ll soon face much stricter compliance standards, even if you always do fewer than 20,000 transactions a year.

Cardholder Data Security

The PCI Security Standards Council defines cardholder data as the full Primary Account Number (PAN) along with cardholder name, expiration date, and service code. Authentication data like full magnetic stripe data and pins also need to be protected.

Companies are encouraged to build and maintain a secure network when handling sensitive payment card information. This involves ensuring that firewalls are implemented to create a secure private network. Additionally, if you’re storing cardholder data, your company must ensure that you’re taking steps to avoid a possible data breach by making sure your hosting provider is also PCI compliant and that you’re encrypting all data being transmitted across public networks. Routine checks of your website are also strongly encouraged to help catch vulnerabilities before they are exploited.

Compliance is a Moving Target

Software companies should approach the idea of PCI compliance with a flexible mindset. Compliance is an ongoing process. Just because your company was in full compliance last year, or last month, or even yesterday, doesn’t mean it is at this moment.

This was illustrated in the case of Heartland Payment Systems (HPS), which gained worldwide notoriety for a data breach that affected PCI compliance. HPS paid an outside firm to guarantee full PCI compliance at all times. But unbeknownst to HPS or the outside vendor, malware infected its corporate network and later spread to its payment processing network.

HPS was immediately delisted by Visa and Mastercard, saw its stock fall 78%, and lost 5,000 merchants. The monetary cost of the data breach was around $170 million.

In the end, HPS worked with the regulatory authority to tighten its security processes and even developed an incident response plan based on PCI compliance.

Safeguard Your Company

As we’ve learned, not being PCI compliant, can have long-lasting implications for your company. Not only will you be issued fines of $5,000 to $100,000 a month until the issue is resolved, but you’ll also face additional fees from the payment brands. The fees are given as a penalty, and as a way to compensate card issuers for the risk of doing business with your software company.

Failing PCI compliance – particularly if it leads to card processing termination – can also affect your company’s credit rating, banking relationships, and loan eligibility. In fact, banks may charge you for the forensic research required to handle your account.

But don’t be discouraged! Your company doesn’t have to navigate the complexities of proper PCI compliance alone. FastSpring’s ecommerce platform securely handles payment card information and has helped thousands of companies remain PCI compliant.

Safeguard your company’s reputation and protect your hard earned revenue by partnering with a full-service ecommerce solution. Click here for a free demo today!

Try FastSpring

Get a free account and see why FastSpring is the ecommerce partner of choice for software providers around the world. Try our full-service ecommerce solution today to unlock revenue growth for your online company.