w: www.meantime.co.uk
t: 01539 737 766

Tuesday, 9 March 2010

PCI Compliance: What? Why? Where? When? Who? And how?

Welcome to my first post of 2010. We've been busy - really busy - since the start of December and I've not had time to get my thoughts in order let alone down on the blog. However, since part of the reason we are so busy is that we are in the process of working on two large e-commerce sites, my thoughts have been concerned with the issues around selling goods on line and that topic will be the subject of the first three posts (unless anything else crops up, of course).

The first topic to discuss is PCI compliancy, not least because so few people whom I meet who are trading online, particularly in small and medium-sized companies, seem to understand its implications.

So, the logical first questions is "what is PCI compliance?"
The term refers to the Data Security Standard set by the Payment Card Industry. The details can be found here but, in précis, the standard is concerned with ensuring that customer data - particularly credit card data - is held securely. In fact, the standard is so strict that, in fact, the solution is to completely avoid holding credit card details. Fortunately, many of the better payment gateways have made this a viable option for e-commerce, if not for telesales.

A reasonable question following from this, then is why is the standard so strict? Well, whatever my minor gripes about the standard (see below), there is no question that there were an increasing amount of e-commerce sites around that were not built to any given security standard and many of these were - and still are - holding unencrypted credit card details. Of course, these same sub-optimal sites were also the ones most vulnerable to hackers. Thus, it is understandable that the payment card industry decided to set a standard.

As far as the where question is concerned, PCI applies wherever you are trading.

So, if you are processing credit cards online, a good question is "when do I have to become PCI compliant?" The answer is that you already should be. Although it appears to be relatively easy to trade online without being PCI compliant and, if you are 'caught', you will usually receive a reasonable period in which to achieve compliancy, matters become far more serious if your security is breached and credit card details are stolen. The fines are punitive and your company will then be under constant scrutiny, with expensive top level compliance required.

The who, as you will have gathered by now, is anyone trading online. The banks have written to their merchant clients telling them of the need to be compliant, so I anticipate that there can only be a relatively small percentage of online traders who are genuinely unaware of the requirements around compliancy.

The $64 question, then, is how to achieve compliancy. If you are holding credit card details and intend to carry on doing so, then there are some big hurdles to jump. Just download the certification documentation from the PCI site and you will see just how extensive the requirements are. If, however, you use one of the better payment gateways, such as SagePay, there are ways around holding credit card details, even in complex situations involving delayed charging (such as when an order is shipped in multiple parts). Not holding card details makes achieving compliance a lot easier.

It seems to me that advertising relating the standard would be a good way forward. Educating customers to stop them using sites that don't demonstrate certification would encourage e-commerce sites to adopt a proper level of security. It would also avoid naive companies - who, perhaps, have not been properly advised by their web provider - incurring large, unexpected fines when their sites are hacked.

There's little doubt in my mind that the standard is flawed and the fact that the banks appear to have followed the PCI slavishly hasn't helped. Although we, Meantime, do not trade online, we have taken the trouble to achieve PCI compliancy as a company, as well as building e-commerce sites that are compliant. This was very difficult, unnecessarily so, and, in places, the requirements were illogical. However, PCI is the standard and that is what we have had to follow. All e-commerce companies need to follow suit.

No comments:

Post a Comment