The advent of e-commerce began mostly in 1995 with Amazon and AuctionNow (eBay). This was the beginning for payment gateways, payment aggregators and other payment support.
Since, there has been a continuous increase in demand for online purchases. It has created a substantial online payment space.
These days, online stores not only use the traditional payment gateways, but they’re also equipping themselves for future technologies. Introducing innovative payment methods, such as developing technology to embed payment-card information into the SIM card of cell phones, hardware device-based payment methods, contactless RFI based secure payment method, chip and PIN-based embedded smart cards shortly; there’s a lot to keep abreast of in the payment processing space.
Technologies Demand Improved Security
While businesses have adapted to new technological advances, they have not always applied the same level of energy into the security of those same technologies. Modern criminals recognize that an organizations desire to streamline a customers experience often dwarfs their desire to ensure it is secure. This translates into vulnerabilities being introduced, often unbeknownst to the business owner. That’s where things like PCI DSS can help.
About PCI DSS
In 2004, the payment card industry (PCI) recognized the importance of secure payment card operations and introduced global data security standards. This is referred to as the Payment Card Industry Data Security Standard, or PCI DSS, and applies to organizations that handle payment card data.
PCI provides a baseline against the Cyber Security, Information Sec, and Physical Security domains. The PCI DSS’s focus is to ensure that the Confidentiality and Integrity of the payment card data and supporting Information Systems are protected.
Why Online Stores Should Consider PCI DSS Compliance
Although PCI DSS is not law, it is a standard for all organizations handling credit card information and is mandated by the major credit card brands (i.e., Discover, Visa, MasterCard, AMEX).
Several countries and US states are starting to implement “PCI-like” laws to help protect consumers. In 2007 Minnesota enacted the “The Minnesota Plastic Card Security Act” and in 2009 Nevada enacted law that requires all businesses in its state to be compliant with PCI DSS in any instance where card information is collected.
With that in mind, there are several benefits online stores should be aware of to being PCI DSS compliant:
1. Improved Loss Prevention Foundation:
At the core of a businesses responsibility is to prevent the loss of money and company resources (e.g., customer data, proprietary information, etc..). A business, regardless of size, has a responsibility to reduce the potential security exposure and work to minimize the affects of a compromise if it does occur. Not doing so, can be costly to an organization.
For example, a compromise that includes a customer sensitive card information can lead to significant regulatory fines. These fines currently vary between $5000 to $100,000 per month until the merchants become PCI DSS compliant. It can also include being banned by various card providers.
Failure to prioritize things like a data protection program increases the risk of a compromise of personal data processing operations.
Some other potential business costs may include the following:
- Forensic Investigation Costs;
- Non-level one merchant gets defaulted to a level one merchant (ie.., it results in yearly onsite audits);
- Merchant may be charged for card reissue;
- Loss of ability to accept payment cards;
- Increase transaction costs;
- Removed from listing by payment brands;
Depending on how you look at your business, the cost savings could be interpreted as a return on security investments (ROSI) but in the world of security we prefer to think of it more as minimizing and improving loss prevention strategy.
2. Reducing Reputational Damage Control:
Many businesses have fallen victim to data breaches. A few high dollar value data breach cases were reported for Canva, Target, eBay, Equifax, LinkedIn, MySpace, Yahoo.
In early October of 2013, Brian Krebs, a security blogger, reported (https://krebsonsecurity.com/2013/10/adobe-breach-impacted-at-least-38-million-users/) that the data breach at Adobe “appears to include more than 150 million username and hashed password pairs taken from Adobe.” This had also exposed customer names, IDs, passwords and payment information.
Within a couple of years, Adobe had to agree to pay millions in legal fees and settlement claims of violating the Customer Records Act and unfair business practices.
It was a breach of customers’ trust, which resulted in significant brand damage, directly impacting their share price and brand.
Given that payment card data is deemed personal data, and most data privacy legislation requires that businesses notify the affected people and the regulators, a public notice had to be sent out in this case.
Setting a “company-level tone” of security by default/security by design is an attempt toward protection against such data breaches.
3. Avoid a High-Risk Label
Post-breach, a business is required to carry out a forensic investigation to identify the root cause and is needed to invest heavily in the enhancement of their security defenses. The Card Brands escalate the businesses’ status to a high-risk (level 1) entity and subject them to a minimum of a 3-year onsite report on compliance (RoC) assessments.
The Regulators investigate the cause of the data breach and levy a fine. As seen in breaches like at Equifax, Morrisons Supermarket, Marriott, a business may also be subjected to private litigation.
4. An Organizational Security Framework
PCI DSS Controls Framework layers create an integrated approach for the protection of card payment channels. Fortunately, the PCI DSS heritage has a precise alignment with other cybersecurity controls frameworks.
Lessons learned from the PCI DSS integrated controls provide global data security standards defense of the business environment. For small online businesses especially, PCI DSS provides a basic framework from which an organization is able to build their security program.
5. Preparation for the Future
The PCI DSS is ever-evolving in accordance with new technologies and threats, with updates in security standards and practices; by being compliant, the merchants can enforce the most up-to-date processing practices for sensitive data processing business operations. This further enhances the Brand and protects the Reputation of a business while reducing risks of a breach of sensitive data assets or sensitive data processing systems.
The most historical data-breaches could have been avoided by adopting the “security by default” model.
The Use of Payment Card Industry Data Security Standards (PCI DSS) should be regarded as enhancing one’s business and not an annual “checkbox” audit. Handling highly sensitive client information is a huge responsibility and should be taken seriously.
All businesses, regardless of size, handling credit card information have a compliance obligation. While not all do, we hope this article helps highlight some of the other business specific benefits that help organizations of all sizes mature their security program.