Does your business need to be PCI compliant?

By
Business Lounge editorial team
August 20, 2012Posted in: Work smarter
Print Friendly

BL907 PCIIf your business processes
even one credit card payment,
the answer to the question above
is: “Yes”. We spoke to Richard Mann from payment gateway SecurePay
to find out what every Australian business owner needs to know
about PCI compliance.

PCI DSS (Payment Card Industry Data Security Standard) is a set of standards a business or merchant needs to adhere to when handling credit card numbers. This might include how your online store takes a payment, as well as how you handle a card number read to you over the phone or received in a letter or email.

While it may sound complex, PCI compliance was actually put in place to make it easier for businesses to process credit card payments securely. “Each of the major credit card brands, such as Visa and MasterCard, had security programs in place to protect the card numbers that they owned,” explains SecurePay CEO Richard Mann. “A merchant had to comply with the rules for each type of card they accepted. To make this process more streamlined, the card companies agreed to have a single set of standards.”

The level of compliance your business needs to demonstrate is determined by how many credit cards you process each year. The level ranges from tier one (the highest security requirements) down to tier four (the lowest security requirements). A tier-one-compliant organisation processes more than six million Visa cards per year, while a tier-four-compliant business processes fewer than 20,000 Visa cards per year.

If you aren’t compliant and there’s a security breach, the consequences could put you out of business. “You will most likely be cut off from processing cards until you become compliant,” explains Mann, adding, “The banks can also force you to become tier one compliant with a full audit at your own cost, regardless of your volume.”

Did you know?

One of the easiest ways online retailers can ensure their PCI compliance is to use a PCI-certified payment processor such as Australia Post’s SecurePay. Customers’ credit cards are entered into a PCI-compliant webpage hosted by SecurePay. The merchant knows that a payment or order has been made but never sees or stores a credit card number.

Businesses can choose to make their equipment, systems and
staff PCI compliant or they can outsource the handling of credit
card numbers to a payment provider that is PCI compliant.
All such payment providers must adhere to PCI standards and
must prove their compliance to each of the banks they connect to
on behalf of merchants.

Mann stresses that compliance isn’t a one-off thing but rather an ongoing commitment to standards and systems.

“For a moderately sized business, to be tier one compliant can cost more than $250,000 per year, including staff labour, security scans, daily process adherence and the onsite audit process,” he says.
“This cost can be substantially higher for larger businesses with
more systems and processes to audit.

“However, by removing most of the compliance to an external
provider like SecurePay, a business can reduce their PCI exposure down to a self-assessment questionnaire. While the payment gateway may pay a substantial cost to be compliant, the load is shared in the pricing across thousands of customers, making the cost of PCI only a fraction of the ongoing costs.”

If you choose to outsource your compliance, all tier one PCI-compliant payment providers will have a Certificate of Compliance available on their website or upon request. This is issued by a qualified security assessor and is valid for one year.

If you are a tier four merchant who uses a payment gateway that is compliant, you will need to state this when you complete the self-assessment questionnaire provided by your bank, and you will need to arrange for quarterly network security scans. If you process more than one million Visa cards per year, you will need to prove that you are PCI compliant to your bank.

There are additional benefits of compliance, a major one being reassuring your potential customers that their card details are safe. “Trust is everything when convincing a customer to buy from your online store and your name alone may not be enough,” says Mann. “Around 65 per cent of customers exit the online shopping process at the point of payment, so reducing this figure will help you sell more online.

“Using a name brand like SecurePay and Australia Post is paramount to gaining the customer’s trust. When this is backed up by the industry standard for credit card security, as well as by a seamless shopping card checkout process, you are more likely to make the sale.”

The views expressed in this article are those of the author and the interviewees, and not of Australia Post.

Post Footer automatically generated by Add Post Footer Plugin for wordpress.

Tags: , , , , ,