Businesses who process credit card payments have to adhere to PCI Compliance standards. Here’s why that’s important.
When Experts Exchange first started to accept credit card payments for subscriptions in 2003, we relied heavily on our payment processors to manage the security aspect for us. As things evolved, we began to realize there were definite gaps in the integrity of the way information was stored. We took it upon ourselves to think beyond what was considered acceptable at that time to ensure that we were doing all that we could to protect data. The last thing I wanted as a business owner was to have to tell any member of our site that their information had been compromised.
In 2006 when the Payment Card Industry Data Security Standard (PCI DSS) became a way to improve security throughout the transaction process, we had the opportunity to perform an external audit. We evaluated all companies processing credit cards and really standardized what was considered best practice at that time—and is still considered best practice today.
Our very first PCI compliance audit exposed some areas in which we were not as strong as we could have been. They were easy fixes for us and it was good to see where we had potential vulnerabilities. We decided to go above and beyond what is required for PCI compliance and still do so today. In our minds, compliance is viewed as the minimum a company should be doing to ensure data protection.
Not all companies agree with us on this matter. In fact, Verizon’s 2015 PCI Compliance Report discovered that 80% of companies still weren’t compliant and failed assessment. Not only is this a large financial cost to a business—sometimes as high as $100,000 per month in fines depending on the duration of noncompliance—but it leaves companies exposed to legal action should a breach occur.
As credit card fraud migrates online, compliance is more important than ever before. There are now a higher number of entry points for e-commerce hacking, as many companies not only rely on e-commerce websites, but e-commerce enabled apps to perform in-app purchases. Using third-party providers to manage shopping cart software, supply chain management, and other parts of the purchasing process is also now the norm.
The PCI Council is responding to this increased threat. In January, they updated the Best Practices for Securing E-commerce purchases, including new guidelines for TLS 1.1 encryption and certification authority, making this a banner year in preparing for new compliance standards.
I recently sat down with Katie Pierce, our financial analyst at Experts Exchange, to discuss how Experts Exchange meets PCI Compliance procedures.
RR:As the Experts Exchange employee who handles accounts, what are your concerns about PCI compliance? KP: It’s imperative we stay in compliance to maintain a good status with our credit card processors. Falling out of compliance could cause problems with our ability to accept credit cards or receive funds, or could result in hold-backs or penalties. Additionally, failing to comply with PCI regulations could compromise the security of our customers’ payments, causing problems for them and damaging our reputation.
Being reliant on electronic forms of payment, we must stay on top of changing security requirements and customer needs.
RR:How does Experts Exchange approach PCI compliance regulations? KP: Our DevOps director keeps us in compliance—he completes a self-assessment questionnaire each year and also responds to any issues that come up in our Quarterly Compliance Scans.
RR: How do you think the EMV chip has helped make credit card processes more secure? KP: In Europe, where “chip & pin” has been in use for several years now, there has actually been an increase in online fraud because it is so much more difficult to defraud the point-of-sales machines. It is expected that the U.S. will see a similar rise, but we are not yet seeing a spike at Experts Exchange.
RR:Has Experts Exchange experienced and warded off any phishing efforts? KP: Yes, it’s an ongoing issue. We have defenses in place, including blocking IP addresses and other security measures.
RR: How important is it for companies who receive credit card payments to hire specialists in Point-to-Point Encryption Solutions? KP: We make sure to have highly trained staff and to work with reliable processors who keep us up-to-date on compliance requirements.
To protect your consumers and your business, conduct internal audits to meet PCI compliance standards.
How is your company working toward the new 2018 requirements? Let me know in the comments below!