The challenges and necessity of PCI DSS compliance call for partnerships between small companies and eCommerce solution providers.
Keeping up to date with the PCI Data Security Standard (DSS) and ensuring that payment processing systems are safe and compliant could be the difference between smooth operations and serious data breach for eCommerce merchants. Getting in line with these standards isn’t optional, and going beyond them to become even more secure is advisable. If smaller merchants find themselves struggling to set up a PCI-compliant infrastructure of their own, it may be a sign that a partnership with a third-party eCommerce fulfillment partner is in order.
The need to become PCI compliant – to avoid regulatory fines and the risk of a crippling data loss – comes from the very beginning of a company’s commercial life, as PYMNTS recently pointed out. While start-ups sometimes begin in a testing phase where they aren’t accepting money, merchants of all sizes will always need a secure portal to receive money. The relative size and age of a company is irrelevant when it comes to using PCI-compliant systems – everyone has to get in line.
There is no organization too small to be breached by attackers in search of payment information. In fact, independent organizations could be some of the most attractive targets for today’s organized cybercriminals, due to the fact that they may lack the in-depth security features sported by larger organizations. Supposing that a company is too small to be noticed and breached is a dangerous assumption for business leaders to make, and one that they should avoid from the get-go.
Crowe Horwath security consultancy’s Senior Vice President Lucas Morris told PYMNTS that small organizations should consider working with outside sources to get their PCI compliance and other data defense standards squared away because of the potentially disastrous price if they fail. He specified that when companies begin accepting money but don’t have a PCI-approved infrastructure in place, they run the risk of fines, as well as the reputation damage that comes from a breach. Small companies with modest resources are among the least prepared businesses to handle such issues.
Adding to the challenges when small organizations decide to manage their PCI compliant status on their own is the way the actual requirements change over time. This isn’t shocking – technology moves quickly and the PCI DSS can’t be allowed to become obsolete.
IT Jungle pointed out one recent shift that may impact small sellers, namely those that qualify for PCI DSS Level 4, processing under 20,000 eCommerce transactions or 1 million across all channels. Now, these companies have to submit Self-Assessment Questionnaires to banks. The source noted how this is a time-consuming process.
The fact that small organizations are being called on to deal with heavier security burdens has to do with increasing threats from hackers. IT Jungle added that as of February 2017, small organizations processing transactions also have to obey stringent rules on working with point-of-sale applications and terminal vendors that have their own certification. Around the small company sector, there is a push for adherence to more and stricter rules, reflecting the challenges of modern security.
IT Jungle gave another important warning – a Level 4 merchant is any business processing credit cards. Firms that don’t think of themselves as retailers can’t overlook their own responsibility to keep their consumers’ data safe and work within protected and compliant transaction environments.
Using a third-party eCommerce platform provides one possible away around the compliance conundrum – if companies team up with larger partners, ones that have compliant payment systems in place, they gain access to powerful defenses that might be unfeasibly expensive to implement themselves. Bigger providers of eCommerce services, ones that have achieved PCI Level 1 compliance, are held to extremely stringent standards by the rules body. This implies the level of trust that partners can put in these networks.
Level 1 compliance, which applies to companies processing over 6 million credit transactions annually, calls for network scans, as well as on-site internal reviews every year. Working with organizations that commit to not only achieving these highest levels of protection but staying current on them as they change and evolve can represent major security benefits for merchants entering or expanding within the eCommerce space. Compliance isn’t optional, so firms should look for the most effective ways to achieve it.