Discover what PCI Compliance/DSS is and why is it important for e-commerce.
PCI Compliance, PCI DSS or Payment Card Industry Data Security Standard is a group of security requirements and procedures aimed at protecting the cardholder data that is required to process with each payments made using a card. The purpose of adopting PCI DSS is to rule out the possibility of fraud or data theft. In other words: adopting a PCI DSS compliant payment solution means providing a secure consumer shopping experience.
PCI DSS or “Payment Card Industry Data Security Standard” is an international security certification that applies to the entire payment processing chain when processing a card payment: merchants, processors, acquirers, issuers and service providers. That is, entities that store, process or transmit cardholder data (CHD) and/or confidential authentication data (SAD)”.
Created in 2004 jointly by the brands MasterCard, American Express, Visa, Discover and JCB International, the PCI DSS is regulated by the Payment Card Industry Security Standards Council, constituted by the same group and guided by an open global forum. The Council’s role is to improve data security by guiding best practices and helping to implement them to establish a minimum-security standard.
The issuing bank and the acquirer of the cards share responsibility for complying with these guidelines and for punishing those responsible for cases of data leakage. Merchants, in turn, need to ensure that their systems and processes keep consumer data secure (such as cardholder name, card number, security code and expiration date), regardless of the size of the business or the volume of operations. Making sure card data is safe is also a responsibility of the merchant that accepts card payments. Choosing a suitable PCI DSS payment processor or payment gateway is the best way to achieve this goal.
PCI certificate comprises the minimum requirements to ensure information security. This set of best practices can be improved to further decrease the chances of leakage or even to comply with local laws or regulations specific to a trade sector.
The list of requirements to obtain a PCI certification comprises 12 items, which can be grouped into six major objectives:
PCI DSS certification has 4 different levels, related to the number of transactions processed annually:
Level 1: processes more than 6 million transactions per year. (This includes an annual auditing and certification process).
Level 2: processes between 1 and 6 million transactions annually.
Tier 3: Annual processing of 20,000 to 1 million online transactions or less than 1 million transactions in total over a year.
Level 4: processes less than 20,000 online transactions or up to 1 million transactions in total in a year.
From Level 2 to Level 4, merchants are required to complete an annual self-assessment questionnaire, undergo a quarterly network check, and obtain an attestation of compliance for on-site assessments. Companies with a Level 1 certificate do not need to do the self-assessment, but are audited every year by a qualified security advisor or by an internal auditor with the consent of the company director.
For Payment Providers (PSPs), there are two levels:
Level 1: over 300,000 transactions per year;
Level 2: below 300,000 transactions per year.
Assessment requirements include a quarterly network scan, an audited compliance certificate and an annual compliance report, in the case of a vpn, for level 1 PSPs. Bexs Banco’s is PCI Level 1 certified.
In addition to being mandatory for everyone who participates in card data processing, to choose partners that meet PCI DSS security requirements also goes in favor of the reputation your company will build online. We are talking about e-commerce platforms, servers and the aforementioned payment processors and the online payment gateway. See below what your company gains when working in partnership with companies with PCI Compliance:
– Legal liability: if there is a data leak or other type of cybercrime, the payment process will be investigated for weak points. Situations like this can trigger legal actions and a lot of headaches.
– Fraud protection: when a fraud occurs, your establishment loses twice: when sending the product to the sender who appropriated third-party card data and when refunding the amount paid to the injured consumer (who will probably request the cancellation of the purchase together card provider), a procedure known as chargeback.
– Consumer trust: increasingly educated, digital consumers are always looking to be aware of the reputation of the e-commerce with which they share their data. You don’t want your brand to be involved in security breaches, do you?
Using a PSP solution developed by Bexs within the PCI DSS guidelines, you will be guaranteeing your consumer the safest payment process on the market. Our APIs are built to the highest security standards in the payments industry. With them, your company can also accept international online payments, with amounts automatically converted to the consumer’s local currency, and receive in your preferred currency, wherever you are. Contact us!