Manage Subscriptions · Subscribe Now · F.A.Q.'s
HOME · Sunday, May 11, 2008
Shopping Carts & Online Payments
PCI Compliance Is "Industry Self-Regulation"
Product marketing manager for nCircle explains payment-processing standards
By: Practical eCommerce Staff
Comments: 2
The major credit card companies, Visa, MasterCard, Discover and American Express, have collaborated on minimum payment-processing security requirements. These requirements make up the Payment Card Industry Data Security Standard (PCI DSS). Merchants and merchant account providers who work with each of those four credit card companies must follow these standards. In that sense, the PCI standard is not law, but industry self-regulation steps that the credit card companies have adopted.
We asked a PCI compliance expert, Sweta Duseja, to explain these standards to us. Duseja is Product Marketing Manager for nCircle, a security risk and compliance management firm.
PeC: PCI compliance is not a law, but self-regulation by the credit card industry. Can you explain?
DUSEJA: Many different industries have requirements that dictate security and privacy. Some of these are laws and regulations - mandates passed by federal government and by individual state governments - and others are self-regulatory standards. For example, the medical industry has the Health Insurance Portability and Accountability Act, or HIPAA, which is a law that governs the transmission and storage of medical records. Public companies are governed by the Sarbanes Oxley Act, which is a law that governs financial reporting issues. The PCI Data Security Standard is not a law or regulation. It's a standard that the four major credit card companies have adopted that tells merchants, essentially, if you want to collect payments from customers using credit and debit cards you must adhere to the PCI standard.
PeC: How do the credit card companies enforce these standards on merchants?
DUSEJA: The credit card companies rely on merchant banks to enforce the standards on their merchant. If a network breach is discovered, a merchant may be fined heavily by one of the credit card companies. This has been sporadic at best because network breaches, unless they are high profile, are usually not publicized. The real driver here is the loss of customers' trust in a merchant. The fear that their credit or debit card data may be stolen and used without their authorization is a far greater incentive to make sure that customers do business with only trusted merchants. On the other hand, VISA has rewarded merchant banks with lower interchange fees (fees paid to VISA to use its network to process customer payments) that have proven high or complete compliance among their merchants.
PeC: Summarize for us what is required of merchants to meet the standards.
DUSEJA: For a general understanding, merchants should always follow four basic rules:
1. Collect only data that is needed for a transaction or order;
2. Store only that customer card data that does not violate the requirements stated very specifically in the PCI standard;
3. Make sure that all customer card data is stored securely;
4. Make sure that card data is securely transmitted from a customer to a merchant via the merchant payment gateway.
PeC: How can a merchant prove compliance with these standards?
DUSEJA: The PCI standard categorizes merchants into four different levels based on the number of payment transactions they generate. All merchants, regardless of size, must retain an Approved Scan Vendor, certified by the PCI Security Standards Council, the body that governs the PCI standard, to perform and submit a quarterly scan of their externally-facing payment network. In addition, the very largest of the merchants, Level 1 Merchants, must submit to an annual onsite audit performed by a Qualified Security Assessor also certified by the Council. Level 2, 3 and 4 merchants are required to fill out and submit an annual self-assessment questionnaire which is no less thorough than an onsite audit. All of this, and more, is explained at the PCI website, Pcisecuritystandards.org.
Blinklist | Del.icio.us | Furl | Ma.gnolia | Newsvine | Spurl | Reddit | Technorati
Published on Monday, April 28, 2008
Comments:
Everyone is in favor of high security and protecting card holder information. That is not the issue. But levying fines or denying processing privileges to merchants who have been processing securely for years if they don't comply with a blanket set of guidelines (one size does not fit all), and pay third parties for certification services, feels like extortion.
Posted by: Dave
Tuesday, April 29, 2008
Ecommerce Articles
- Browse All Articles
- Browse our complete archive of ecommerce articles.
- Accounting, Management & Legal
- Ecommerce articles related to managing a small business including ecommerce accounting, business strategy and legal considerations.
- Conversion & Usability
- Online business articles about converting web site visitors into customers and how to gauge and improve your business website's usability.
- Development & Programming
- Articles to help designers, developers and programmers create successful, search engine friendly ecommerce websites and improve existing ones.
- Hosting, Infrastructure & Software
- Articles for ecommerce businesses about ecommerce web hosting, business infrastructure, business strategy and helpful ecommerce & small business software.
- Interviews & Profiles
- Interviews with prominent ecommerce business personalities and profiles of successful online businesses.
- Inventory & Shipping
- Ecommerce articles about inventory management, ecommerce order fulfillment and product shipping considerations.
- Marketing & Revenue Growth
- Articles relating to online marketing, email marketing and using the Internet to growing your business.
- Search Engine Optimization
- Search engine optimization articles for ecommerce business owners, strategists, marketers and developers.
- Shopping Carts & Online Payments
- Articles covering ecommerce shopping cart platforms and options for choosing an online payment gateway.
- Training & Education
- Tutorials and articles providing training and education for ecommerce business owners and developers of ecommerce websites.
Search Articles
Ecommerce Community
- Ecommerce Blogs
- Read our blogs about ecommerce topics written by industry professionals.
- Community Forum
- Connect with other ecommerce professionals to trade advice and answers in our community forum.
- Podcasts
- Check out our ecommerce podcasts covering topics ranging from interviews to tutorials.
- RSS Content Feeds
- Subscribe to our RSS feeds and have fresh ecommerce content delivered to you.
Ecommerce Resources
- Free Email Newsletter
- Sign up for Ecommerce Notes, our free email newsletter for ecommerce business owners and developers.
- Ecommerce Directory
- Browse our directory of ecommerce products and services, or submit your own listing in our directory.
- Ecommerce Glossary
- Familiarize yourself with terminology or submit terms to help others with our Ecommerce Glossary.
- Events Calendar
- Find out about upcoming ecommerce events or invite other ecommerce professionals by posting your own event.
- Press Releases
- Browse ecommerce related press releases and post your own press release for distribution.
- Ecommerce Store & Back Issues
- Pick up back issues of Practical eCommerce magazine along with other merchandise from Practical Ecommerce
About Practical eCommerce
- Frequently Asked Questions
- Look at frequently asked questions regarded using our website, subscribing to our magazine and more.
- Advertising Information
- Information about advertising in Practical eCommerce magazine, on our website, or in our email newsletters.
- Editorial Sharing
- Learn about options for sharing our content with your visitors, customers or employees.
- About Us
- Learn more about Practical Ecommerce magazine and meet our staff.
- Contact Us
- Contact Practical Ecommerce at any time for more information. We'd love to hear from you.
Copyright 2007 Confluence Distribution, Inc. and Practical eCommerce.
All Rights Reserved.
This is an over simplification of this subject.
Fines for a breach are more than heavy. Unless you have Wal-Mart like deep pockets a breach of more than one card # will put you out of business!
Please do not put this off.
Posted by: Teresa
Tuesday, April 29, 2008