A cautionary tale to online retailers
It came to our attention that banks are more frequently putting pressure on SME merchants with ecommerce websites to become PCI compliant.
In fact, several banks have “threatened” merchants with additional charges for failure to comply with the PCI DSS standards.
What shocked us the most is that these banks are referring customers to a paid-for “security” scanning service of the website in order to identify “threats” and “risks” even when there are some instances no need for PCI DSS scanning of their website!
A case study to demonstrate this issue will help here:
– Merchant has an ecommerce website and uses a payment service provider (e.g. SagePay, WorldPay, PayPal) to process online card transactions.
– Merchant’s bank gets in touch to “warn” them of pending charges should they not be able to prove PCI compliance on their ecommerce website
– Merchant’s bank recommends a 3rd party, paid-for, security scanning service provider to scan to enable PCI compliance to be achieved
– Merchant pays for security scan and then spends time trying to sort through results and reports to try and comply.
The primary problem with this scenario is that the merchant is using a PSP (Payment Service Provider) to handle all credit card transactions and details. This means that the merchant only has to ensure the PSP used is PCI compliant. i.e. the merchant’s website does not need to be PCI compliant as it does not handle card details.
(note: virtual terminal transactions still require regular internet connection scans)
The instruction from the bank and the security scanning company both failed to take this into account. This costs the merchant in time, worry and most importantly in money and ties them into a 10 monthly contract to a security scanning company’s service when it is not required.
Now, teclan take online security very seriously. Implementing the correct procedures to ensure maximum data security for card details is paramount, however knowing the correct procedures and processes required is the main hurdle for merchants.
NOTE: All of teclan’s ecommerce hosting platforms adhere to the most current PCI compliance requirements, however individual merchants may have to look to their own internal PC’s and network infrastructures as well – see below:
A quick PCI compliance sense check:
– … process card details yourself, in your place of work, on your local system/network?
If yes then you need to ensure that your local systems are compliant – check here for simply steps to do this
– … only use an online Payment Service Provider to handle all credit card transactions?
If yes then it is your responsibility to ensure that this PSP is PCI Compliant. If they are then you’re compliant! (view list of compliant PSP’s here)
– … process card details internally AND online?
If yes then you need follow the steps for both of the above.
The above checks are a simplified ready-reckoner for merchants to guide them through the PCI Compliance issues.
Credit card data security is vital. Having the most reliable, secure and updated hosting platform for your website is vital.
Knowing exactly what your responsibilities are for PCI compliance is vital i.e. ensure you do not get pressurised into a paid for service that you may not actually need!