PCI Data Security Standard (PCI DSS)
Internet based credit card fraud has been on the rise for years. We’ve all heard horror stories about someone having their credit card information stolen and misused to buy things on the internet. Generally speaking, it is the credit card companies who absorb most of the fraudulent charges and that has added up – a lot! So the credit card companies got together and developed a standard for credit card security. It is known as PCI DSS (Payment Card Industry Data Security Standard) and if you do business on the internet, you need to know what it is about. The standards are available online at https://www.pcisecuritystandards.org. There is a lot of information to digest, but it can be summarized as follows: if you store credit card data on your site, you must take extreme measures to protect that data.
These measures are usually too expensive or cumbersome to implement for most website owners. So unless you are a huge corporation with a massive IT budget, the solution is to not store credit card data on your site. Most e-commerce sites can achieve this by having a site visitor fill out the payment form on site and submitting the data via an encrypted connection (SSL) to a Payment Gateway that is PCI compliant. This avoids all the rigors of credit card data storage because you are not storing the data on your site. Once the transaction is complete, there is no trace of the users credit card data on your site.
However, you’re not quite off the hook. Your site must be secure enough to keep hackers out since a hacker could get on your site and modify how and where credit card data is sent. A good hacker could modify your payment form to send the data directly to them. There are services that will analyze your site for security flaws and it is money well spent. Penalties for non-compliance in the case of a security breach can be steep. Plus it’s bad for your business reputation.
To completely wash your hands of the PCI DSS concerns, you can use a hosted payment service. In this scenario, a site visitor browses your site and when they are ready to make a purchase, they are taken to the hosted payment site where they enter their credit card data and complete the purchase. When the transaction is complete, they are returned to your site, usually to a “Thank You” page or the like. The down side to this approach is that it tends to cost more and often the hosted pages don’t fit well with your website’s look and feel. Paypal is great example of this – you know when you are on a Paypal payment page.
Still, as consumers learn about these security issues, they may come to appreciate being on a secure site when submitting their payment information. Whatever your situation, the one thing you can’t do is ignore the PCI Standards. It’s bad for business and could cost you thousands of dollars if your site is breached.