Welcome to the second part of our three part series on fighting online fraud. (You can read Part 1 here.)
If an eCommerce business doesn’t maintain its PCI DSS certified status, it could face a fine as high as £500,000. Before setting up an eCommerce business, therefore, it’s imperative that the business owners and managers understand what they will need to do to gain and maintain PCI DSS certification.
What is the PCI DSS?
With eCommerce business growing rapidly, the threat of online fraud is seen as a very real one. In efforts to ensure online payment security, the Payment Card Industry Data Security Standard has been introduced as a global payment security standard. Its aim is to protect the personal information of cardholders, and, in the UK, all online businesses must be PCI DSS compliant, and be certified as such on an annual basis.
How to Meet the PCI DSS
In order to conform to the PCI DSS, a business will need to ensure its systems are designed to facilitate payment security, with secure payment methods as defined under the standards. These cover areas including online payment security management, payment security policies, network architecture, and security of customer account data.
Any business that either processes cardholder information, stores that information, or transmits it must be PCI DSS compliant.
Six Things to do to Become and Maintain PCI DSS Compliant
The PCI DSS is based upon six principles, each of which needs to be reached and then maintained to remain compliant. Here are the six things a business needs to do to ensure the PCI DSS is attained within a business:
1. Ensure you have a secure network
- Install a firewall and ensure it is regularly updated. The firewall should be robust enough to protect cardholders’ data.
- Maintain passwords and ensure they are changed regularly
- Ensure that your network is configured on a customised basis and not to vendor defaults
2. Protect Cardholder details
- Encrypt all transmissions of cardholder data across open networks
- Take measures to ensure cardholder data is held securely
3. Regularly Assess System Vulnerability
- Ensure anti-virus software is used continuously and is regularly updated
- Maintain secure payment methods and systems on all applications
4. Limit access to systems and applications
- Only those who need access should have access
- Maintain unique user access IDs and passwords
- Physical access to cardholder details should be strictly limited
5. Monitor Networks
- Track all access to networks and applications
- Have systems in place to monitor network resources and access to cardholder details
- Test online payment security, systems, and procedures regularly and often
6. Maintain a Written Security Policy
- A catch all policy in writing needs to be maintained and updated as needed.
Not all businesses are the same, and the exact requirements for online payment security under PCI DSS may differ from business to business.
As can be seen, even the basic requirements outlined above will need a business to be proactive in developing, building, and maintaining systems, processes, and procedures that interact internally and externally. These requirements can put a strain on a business’s resources and stretch finances. This is why so many companies pass on these responsibilities to their payment gateway provider.
In the next and final part of this series of articles, we look at where and when breaches of online payment security may take place.