In order to prevent the growing threat of debit and credit card fraud, in 2006, major credit card payment brands such as Visa and Mastercard collaboratively created the Payment Card Industry Council. The goal of the council is to enforce global security standards for retail payment by debit and credit cards. With the increase in usage of online payments for various products, comes the increase in risk of payment card theft.
The council eventually formed what we know today as the PCI Data Security Standards (PCI DSS). PCI DSS involves a number of different compliance levels. The most stringent compliance level is reserved for businesses with over 6 million Visa and/or Mastercard transactions processed per year.
Who is required to be PCI compliant?
Any merchant, vendor or service provider that stores, processes or transmits credit or debit card information will be obligated, by payment card brands and acquirer banks, to be PCI compliant according to PCI DSS. It is not quite clear, however, whether some individuals involved in the creation of the online business, who don’t come in contact with payment card information, are required to be PCI compliant. For example, a web developer may be contracted to simply create a website for a merchant, and not to store or transmit any payment card information. During the process of configuring the payment gateway to the website, however, a web developer could come within the scope of requirements if any contact is made with payment card information.
What are the consequences of not being PCI compliant?
There is currently no legislative basis for PCI compliance. It is a contractual obligation that can result in liabilities in the event of a breach. Failing to be PCI compliant (when the banks expect you to be PCI compliant) can result in chargebacks by the payment card brand or acquirer; suspension of processing credit card payments by the specific payment card band; escalation into a higher compliance level; tens of thousands of dollars in annual compliance fees; and very importantly, damage to the reputation of your business.
What responsibilities are imposed by PCI compliance?
The complexity of the PCI DSS can be quite daunting. It is important, however, for an online business to understand the responsibilities and obligations required to remain PCI compliant. A number of retailers, including Target and Neiman Marcus, have come under scrutiny for allegedly failing to comply with the PCI DSS, which resulted in a significant data breach.
Along with the stringent technical standards set by the PCI Security Standards Council, PCI compliant businesses should also consider:
- Talking to your insurer. Before confirming the liability language in agreements related to PCI compliance, talk to your insurer about the level of coverage you will have in the event of a data breach. You may also consider bringing up the possibility of cyber insurance.
- Amending your contract language. It is important that contract language between parties in an online business lay out specific representations and warranties related to PCI compliance.
Such representations and warranties can include language on compliance, where and how code is written, testing methods used, technical support limitations etc:
- Being prepared for audits. Whether you are PCI compliant or not, if you are a vendor to a business that is required to be PCI compliant, in the event of a breach by that business, you may be subject to audit.
- Doing your research. Whether you’re creating an online business, building the website for an online business or providing hosting services, it is important for you to research your service providers to determine whether they are PCI compliant. You can start by reading customer reviews for their business and confirming the state of the company by accessing the payment card brand registry list.
Online businesses that may be required to be PCI compliant can include merchants, web-developers who come in contact with credit or debit card information, hosting service providers, and of course payment gateways. It is important for any business that is involved in an online business that comes in any contact with debit or credit card information to consult with a Qualified Security Assessor (QSA) and payment card brand or acquirer.
Takeaways
- Any merchant, vendor or service provider that stores, processes or transmits credit or debit card information will be obligated, by payment card brands and acquirer banks, to be PCI compliant according to PCI DSS.
- PCI compliance is a contractual obligation, not a statutory one, but the cost of failure to comply when required can be very high.
- Professional technical assistance may be necessary to determine whether a website is required to be compliant, and if so, what is needed to achieve and maintain compliance.