1st December 2012 was the deadline set by Streamline, the UK and Europe’s largest card processor, for small and micro businesses to ensure they are Payment Card Industry Standard (PCI DSS) compliant.
PCI DSS is a set of mandatory card security protocols, created by a coalition of the major credit card companies, including Visa, MasterCard and Amex. Whilst compliance is not a legal obligation, online traders wishing to handle credit or debit card details are required to achieve PCI DSS compliance as part of their merchant agreement with card vendors and processors.
Andrew Ogilvie, Managing Director of Xtraordinary Hosting, says: “Non-compliance may be met with fines, losses arising from fraud or negligence and ultimately a termination of the merchant agreement and the loss of customer confidence. There is also an increased risk from cybercrime attacks, which fundamentally PCI DSS compliance is designed to prevent. According to Verizon’s 2012 Data Breach Investigations Report, 95% of breaches happen to retailers with less than 100 employees.”
Retailers may have got used to handling and storing card data for a variety of purposes. Providing a simple ‘one-click’
PCI Compliance prohibits companies from recording and storing the Card Verification Value (CVV2), three-digit number, on the reverse of cards. If there is a security breach and retailers are found to be holding this data they leave themselves open to claims from card companies.
Andrew Ogilvie explains, “By doing any or all of these things many merchants, particularly small, medium and micro businesses, may not realise they are in breach of PCI Compliance.”
Companies must sign up to regular vulnerability checks of their online security by an approved third party vendor. However, there are another 200 additional sub-requirements to meet in order to pass compliance.
All of these conditions may require considerable investment in time and money by merchants.
Andrew Ogilvie says: “Retailers should ask themselves what sort of data they need to process and what, if any, they need to retain. If there is no legitimate reason to store card data then avoid it. It is worth ring-fencing systems that process transactions, which means not every part of a retailer’s IT setup has to be compliant as it won’t come into contact with card data. Retailers should also review which personnel come into contact with card and transaction data within their organisations. It should always be on an ‘only if essential’ basis, and all access to the data recorded.
“Perhaps the best advice of all for small retailers is not to have anything to do with processing card transactions at all. A third party payment gateway like Sagepay, Datacash, Worldpay or Barclay’s ePDQ can deal with transactions. This may add to the expense of doing business online, but it also gives greater peace of mind. Retailers can concentrate on selling products on their website, and spend less time worrying about managing data.”
While PCI Compliance may create a headache for many small firms, it is all about keeping customer data secure and minimising criminal threats to their business. However, PCI DSS compliance is not a cure-all and companies must remain vigilant against ever-changing cyber threats to their business.
Andrew Ogilvie adds: “It is very important when choosing a hosting provider that they fully understand PCI compliance, and can provide advice on security, system design, encryption, firewalling, patching, scanning and logging which are all required to stay compliant.”
Notes to Editors
Xtraordinary Hosting www.xtrahost.co.uk
Successful dotcom entrepreneur Andrew Ogilvie founded Xtraordinary Hosting in 2001. It is a cloud hosting company, operating out of data centres in London and Edinburgh, which employs highly qualified, on-site technical teams, providing 24/7 support on critical issues.
The company offers a wide-ranging of IT services including secure Private and Public Cloud Hosting, Dedicated Servers, Managed Servers, Complex Managed Hosting and Application Hosting, which includes Magento eCommerce and Atlassian.
Xtraordinary operates in the City of London from the Interxion data centre, which it shares with over 200 financial services institutions, more than 15 liquidity venues and the major market data vendors.