30th January, 2018
As more and more people swap cash for card, making sure card payments are done safely is going to be key to you becoming a trusted merchant.
Every business which accepts payment details from customers is classed as a merchant and must meet standards known as the ‘Payment Card Industry Data Security Standard’ (PCI DSS) – whether they know it or not.
This is a set of standards created to help protect customers’ credit card and debit card information.
If your business can’t meet these standards, then you can’t reasonably say you’re protecting your customers’ details.
More than that, you risk being fined (the fines vary by payment card brands) if you’re found not to be compliant.
Here’s what you need to know about becoming PCI-compliant.
PCI compliance is a set of 12 security requirements set out by credit card networks.
They apply to any business that stores or transmits credit card data – regardless of its size or location.
The data which needs to be protected includes the following:
• Cardholder name
• Expiration date
• Service code
• Full magnetic stripe data
• CAV2, CVC2, CVV2, CID (the security digits on the back of credit cards)
• PINs
There are varying levels of PCI compliance:
• Level 1—Any merchant which processes over six million Visa transactions per year, regardless of acceptance channel. MYOB PayBy is certified as PCI DSS v3 Level 1 compliance.
• Level 2—Any merchant which processes one million to six million Visa transactions per year.
• Level 3—Any merchant which processes 20,000 to 1 million Visa e-Commerce transactions per year.
• Level 4—Any merchant which processes fewer than 20,000 Visa e-Commerce transactions per year, and all other merchants processing up to 1 million Visa transactions per year.
Even if your business only takes credit card information over the phone, you’re still expected to comply with PCI DSS.
To meet the PCI compliance requirements, every merchant needs to go through a series of 12 steps including:
• Defining your process to make sure that the cardholder data is protected
• Identifying the most recent antivirus programs on all computers and network
• Identifying the firewall used to guard all cardholder information
• Defining safe practice transactions and maintaining a secure network environment
• Monitoring all sessions that concern cardholder data and network resources
You can read more about the steps needed to become compliant here.
Meanwhile, to continue being compliant, you need to submit quarterly network scans by an “Approved Scanning Vendor” to the Payment Card Industry Security Standards Council.
Doesn’t that all sound like a barrel of monkeys?
Luckily, most businesses won’t need to do this manually because payment application and gateway services like MYOB PayBy take care of the hard work.
A payment application is anything that transmits, stores, or processes cardholder information.
This covers everything from POS terminals in a restaurant to the software used in your e-Commerce shopping cart.
These are all subject to PCI compliance, and it’s important to note that merchants who use third-party processors aren’t immune from being PCI-compliant.
A payment gateway such as MYOB PayBy connects a merchant to its acquiring bank, or a processor that connects them to the card brand.
They take information from a variety of sources and direct it to the bank.
Another important part of being PCI-compliant is a requirement to make sure that any card information storing you may do is done in a safe way.
You may want to hang onto card information for customer ease, so people don’t have to put in their card details each time they order something from your site for example.
The simplest way to do this with ease-of-mind is using a solution like MYOB PayBy.
It offers a card vault and tokenisation as standard, which means it will store all customer credit card data in a secure vault – and then provide a unique ‘token’ which can be applied to each customer for the purposes of re-billing.
All cardholder data is removed from your possession, and the responsibility for its security does not fall on you – even though you’re still held responsible for being PCI-compliant.
These standards are in place to keep your consumer data safe.
A merchant who fails to meet compliance standards will face penalties assessed by the card networks.
There are also PCI fines for merchants who are non-compliant and suffer a data breach.
It’s very likely the bank will terminate your relationship or exorbitantly increase transaction fees.
These kinds of penalties can devastate a small business.
But by using a solution like MYOB PayBy you can take the hassle, and the risk, out of keeping your customers’ credit card details nice and safe.