IN 2006, five of the large payment brands – American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa – joined forces to form the Payment Card Industry Security Standards Council.
It is responsible for protecting personal information and ensuring that adequate security is in place when transactions are processed using a payment card. It doesn’t matter whether you’re the biggest multi-national or the smallest online shop, you must now comply with the PCI Data Security Standard (DSS).
If you have an online shop, how are you processing payment card details? If, during the checkout process, your customer is sent to a third-party payment gateway site such as PayPal or WorldPay to enter their card details, then they return to your site to complete their purchase, some of the PCI DSS will not affect you.
Some payment gateways, such as PayPal and SagePay, have a facility which allows you to embed their payment forms directly into your web page. So long as they are hosting the payment form and you are merely “sucking” it into your page, again many of the requirements will not be relevant to you.
If your shop takes payment card details directly on your own web page and then passes those details to a third party for processing, sit up and pay attention. There is a whole host of requirements that your site and hosting package must adhere to, otherwise you could find yourself in hot water if you get a PCI DSS check by your bank.
If you capture card details then process them through the hand-held credit card terminal in your shop as a “cardholder not present” transaction, stand in the corner and hang your head in shame, as this practice is most definitely not acceptable.
It is not only online transactions that you need to be mindful of. Do you take telephone or mail orders? The likes of PayPal and SagePay can provide online payment terminals that allow you to process card details in the correct way, but what do you do with the card details once the transaction has been completed? Do you file them away with the order details, just in case you need them again?
Whoops – alarm bells again! You must have a system in place that effectively destroys the card details so that they could not be used again.
Why all this fuss you may ask. Well, if you handle card details in any way, shape or form, you are dealing with data that is extremely attractive to thieves. If they get their grubby little hands on card details and it was your fault, you run the risk of fines, penalties and possibly even being banned from being able to accept card details again.
There are many aspects to PCI DSS compliance – far too many to cover here. There’s a very handy free guide that I can send you that explains PCI DSS in more detail, how it affects you, and what you need to do to conform. Just go to www.web-workshop.net/pciguide to get hold of your copy.
Andrew McEwan of The Web Workshop in Morebattle (www.thewebworkshop.net) designs websites, builds brands, produces videos, and markets businesses in the Borders and beyond.