Let’s say you opened up a store in your town. You did everything you could to make sure it was a success, from beautiful, quality merchandise to smart, targeted marketing. On your first day, the store is filled with customers, products are flying off the shelves, and the cash register is going non-stop. One customer even stops to tell you how excited she is to recommend your store to her friends. Your future looks bright!
Then, at the end of a successful day, you leave the doors wide open and head home.
A ridiculous thing to do, right? Someone is bound to loot your store, steal your cash register, and who knows what else. Why would you put all of your hard work at risk by leaving the doors open?
The truth is, many online businesses are leaving their virtual doors open every single day by failing to meet PCI (Payment Card Industry) Data Security Standards. These are the basic requirements that every business is required to meet in order to protect their patrons’ credit card data from being stolen. And it’s been estimated that 67% of businesses are not in compliance.
PCI compliance is one of those “elephant in the room” issues that’s rarely talked about. So let’s talk about it!
Becoming PCI compliant is one of the most important things you can do to ensure that your customers are safe and your business is secure. And for good reason.
Let’s look at one of the biggest recent data breaches: Target. Up to 70 million customers’ credit and debit card information was affected by this breach in 2013. How did it happen? Hackers gained access to the system using credentials stolen from a heating and air conditioning vendor that was contracted by the retailer. It’s proof positive that you can never be too careful. Security gaps can happen anywhere – even with an HVAC contractor – and result in disaster.
It’s a disaster that costs big bucks: in Target’s case, to the tune of $520 million. That’s a 46% dip in their quarterly profits! If you face a similar security breach, your losses may not be in the millions, but losing your customers’ trust can mean the end of your relationship. Plus, companies can be audited by the government and fined if you’re found to be at fault.
Even so, people have plenty of reasons to avoid becoming PCI compliant. The most common reason seems to be plain old ignorance. Many entrepreneurial folks who start their own business online have never even heard of this before. If this is the first you’re hearing about it, now you know. Take action!
Another reason people avoid PCI: confusion. Businesses that have heard of it and know that they need to follow some regulations often don’t understand exactly what they’re supposed to do, so they do nothing. It’s a complex set of rules if you’ve never had to deal with them before, but fortunately, it’s far easier to comply than you may think.
The third reason people don’t become compliant: costs. More accurately, perceived costs. For a business that already has a functional payment process, changing that process seems like an expensive endeavor. Depending on your systems, it might be. And it’s hard to convince yourself to spend money on something that doesn’t directly affect your sales, isn’t it? But for most online businesses, it’s more cost effective to update your process than it is to start from scratch after a security breach.
You may assume you’re safe because you’ve had someone else set up your payment systems. It’s easy to put your trust in a developer or IT consultant, but it’s up to you to make sure that the requirements are being met. There are hundreds of ways for your customers’ credit card information to get lost or stolen. (Just remember Target’s HVAC contractor!) If that happens to you, it’s not going to hurt your developer or IT consultant – it’s going to hurt your business.
Are you ready to get compliant? Here’s what you need to do.
1. Bookmark the PCI website
The PCI Security Standards Council (SSC) has a comprehensive website full of everything you need to know about Data Security Standards. Browse the site before you do anything else so you have a baseline understanding. Then, check back frequently so you’re up to date on changing standards.
2. Get to know the requirements
There are twelve basic PCI requirements in six categories. They are:
Build and maintain a secure network and systems (Make sure your server is PCI compliant. Some are – like Amazon EC2. Some aren’t – like Digital Ocean.)
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect cardholder data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a vulnerability management program
5. Protect all systems against malware and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
Implement strong access control measures
7. Restrict access to cardholder data by business need to know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
Regularly monitor and test networks (We recommend Comodo for testing, which is fairly cheap and recommended by PCI-DSS. Never use a random free service, as it may just be a ruse by hackers to get access to your system.)
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain and information security policy
12. Maintain a policy that addresses information security for all personnel
3. Audit your process
Does your current system meet the basic requirements listed above? Do you see any red flags, like:
- A shopping cart system that’s more than a few years old
- Credit card data saved to a server, your memory, or anywhere in the bowels of your computer
- Credit card data posted to your WordPress site so you can send it to another system like Infusionsoft
- A log file that’s logging all of your http transactions
- The possibility of malware already on your computer (or malware on the computers of any of your staff)
- Someone set up your payment system and you don’t know if it’s compliant
4. Update your process
If you’ve followed the steps above and found that your current system isn’t compliant, there are a few options available to you. The easiest, most effective methods are:
Call the support line for your current system or your go-to IT consultant and have a chat with them about PCI. Do they have any solutions available to help you become compliant?
We love that these two don’t require your customers to go to a third party site to pay, giving them a much smoother checkout experience while providing maximum data security. They do this by funneling credit card information directly from the customer to their processors, reducing the amount of people and computers who need to be involved in the transaction. The fewer touchpoints involved, the safer your data is.
If you prefer, you can use an external shopping cart site like PayPal or Infusionsoft. Although these meet PCI standards, the customer experience isn’t quite as good because they’ll have to leave your website in order to check out.
If you aren’t sure what will work best for you, take some time to review all of the vendors listed above. They each have slightly different benefits and drawbacks, so research which one is right for your business needs. If you’re still unsure, consult an expert who specializes in PCI and can discuss with you in detail.
5. Never stop learning
There’s an arms race between those who want to protect customers’ data and those who want to steal it. Because of this, technology and standards change and grow constantly. It’s your responsibility to stay informed and make sure you’re doing everything you can to keep your customers’ information as secure as possible.
Keep checking the PCI website, read articles, and tweak your process as needed. You may even want to set up a recurring news alert about PCI compliance to ensure you don’t miss the latest. On this issue, you can’t be too informed – and your customers will thank you for it.
Upgrading your system to become PCI compliant is one of the smartest things you can do for your business. You’ll have a checkout process that’s easier for you to manage, as credit card information bypasses you and goes directly from your customer to your payment vendor. It will give your customers a seamless experience as they purchase your product, making them more likely to purchase again in the future. And with their data safe and secure, you’ll avoid the scary possibility of stolen credit cards, angry customers and lost loyalty.
At the end of the day, only you can make sure your shop doors are securely locked instead of wide open. Don’t take the risk – protect your investment. You’ll be glad you did!
This is a new issue for a lot of people, and first-timers in the realm of PCI usually have a lot of questions. What questions can we help you with? Post them in the comments below.