PCI for dummies

Whether you are a retailer, e-commerce player or any type of merchant, you most likely are accepting credit and debit cards as a means of payment.

PCI DSS (Payment Card Industry Data Security Standard) was created by the PCI Standards Security Council, which represents MasterCard, Visa, JCB International, American Express and Discover. PCI applies to all merchants and is intended to ensure the security of stored and processed card data within all environments.

Card data can be like cash. If you can get your hands on it you can spend it. PCI DSS helps to protect this data, thus reducing risk exposure and card data access. Being PCI-compliant does not guarantee data security or absolute prevention from hackers gaining access to this data, but rather encompasses an approach in view of a merchant's business model and requirements that help aid in the protection the card holder/consumer.

Another common misconception is the belief that a merchant is PCI-compliant through its own best practice methods and database encryption. Non-PCI-compliance can have large financial implications to merchants, with fines ranging between US$5 000 to US$500 000 based on the level of non-compliance. The PCI Security Standards Council is an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection. (https://www.pcisecuritystandards.org)

Outside of the PCI checklist, the card associations have established Quality Security Assessors (QSA) to aid in the assessment of merchants. Further to this, approved scanning vendors (ASV) have been established to identify vulnerabilities and misconfigurations within the merchant's payment process.

Along with rules come regulations and with regulations comes adherence to an extensive range of audits, procedures and costs that merchants don't want to hear.

It is estimated that two billion dollars have been spent to date on PCI compliance. Stop. Take a breath. There is good news coming. Most of the PCI costs incurred result from Level 1 through Level 3 requirements, which does not necessarily apply to all merchants.

In fact, most merchants will fall into Level 4 category, only requiring them to do an annual PCI self-assessment. Merchants in the Level 4 category can avoid quarterly network scans if they have chosen a third-party payment processor to process and store card detail, which excludes them from the most crucial part of the compliance process. Think about it, why manage the PCI process, incur the cost and create the exposure in an area of your business that is not required, nor lies in your key competencies.

Third-party payment processors can process and store card transactions of online payments, recurring billing, mail order/telephone order payments, EFT integrated point of sale and standalone devices, without taking away core functionality from the merchant. In all of these payment methods, card details can be replaced on the merchant system with unique reference numbers allowing merchants to retain control over Transaction Management, without storing any card detail.

MyGate's payment platform enables merchants to easily integrate into a payment solution that can be built around their specific requirements, without the merchant getting involved with card detail. It is crucial for merchants to retain real-time access to all components of the transaction process, including authorisation, settlement, reverse authorisation, manual authorisation codes, refunds and charge-back management.

Contact MyGate on 021 555-3260 if you are unsure whether your merchant solution is compliant.