Payment Card Industry Data Security Standard (PCI)
What is it and do I need it?
When you make a purchase through an eCommerce website and input your card details, your details should be protected and the funds should reach the intended recipient. By following certain protocols, the operator of the eCommerce website is responsible for ensuring the safety of the transaction through best practices and due diligence.
If you operate an eCommerce website and accept monetary transactions, adhering to PCI compliance applies to you and you should have some kind of understanding of yours and your partners responsibilities. This is true of phone payments, card readers and website eCommerce stores are no different.
PCI compliance is an industry standard set of security rules and best practices. It is governed by the Payment Card Industry Security Standards Council in partnership with the major payment card issuers like VISA and Mastercard.
PCI compliance can be a costly area but the fines for ignoring it are higher.
If your website allows for a payment transaction of some type you will require a level of compliance that depends on a number of factors.
We can help and assist you with this to ensure your e-commerce store fulfils the guidelines and is safe for your users.
What is the purpose?
If you handle or transmit card holder data (CHD), you have a responsibility under PCI to ensure the data is safely processed, handled and stored. This is simply to protect your customer card details from being exposed or exploited by an unknown third party.
What scope do I need?
The level of access you have to card holder data determines the level of compliance you will need. A common tendancy is for retailers to defer ecommerce payment card processing to a payment partner site which ensures no card holder data is transmitted through their own website pages. This effectively reduces the retailers liability and puts most of the onus on the payment card processor. However, whilst you have effectvely limited your scope this way it is critical that you do due diligence and assess whether the payment processor you mandate for handling your customer card data has PCI compliance. By law, the payment processor should be able to provide you with a Attestation of Compliance on request.
What is and Attestation of Request (AOC)
An Attestation of Compliance is a certificate, renewed each year, that confirms PCI compliance.