PCI Compliance Best Practices: 3 Areas to Focus On
With the PCI DSS 3.0 release only 6 months away, compliance should be on every merchant’s mind. Nevertheless, these regulations often come as an afterthought, especially for Level 3 and Level 4 businesses. As the number of online shoppers continues to grow, there are more and more opportunities for cybercriminals to strike. Increased vigilance on the merchant’s side will be an integral part of keeping customer financial information out of the wrong hands.
Is PCI compliance the end-all and be-all of safe eCommerce transactions? No, but ensuring that your business follows all regulations can make a huge impact – not to mention that the consequences of not complying are so much worse. Today, it is crucial that merchants take compliance seriously to combat new and emerging risks such as those introduced by third-party processors and alternative payments. Additionally, merchants need to be better prepared to tackle the ever-growing list of website vulnerabilities in order to continue to keep customers safe.
So, in anticipation of the 3.0 release, we discuss three key areas that are addressed by the PCI DSS and why they are necessary for keeping your business safe and secure.
1. Managing Mobile Commerce
Encompassing payments like NFC (Near Field Communications), mobile shopping apps, eWallets, or mobile POS systems, mobile payments present security and compliance issues for merchants and consumers alike. Serious barriers to entry persist around dispute resolution, data security, and privacy, and many shoppers report security as a top concern when completing a transaction via a mobile device.
To combat these worries, the PCI Security Standards Council published a fact sheet in February 2013 with specific steps merchants can take to ensure the security of mobile transactions. Following these guidelines will help merchants implement better mobile payment systems and help customers shop more safely. In tandem with a trusted security provider, this is the best way to embrace mobile payments without sacrificing safety or putting your business’ reputation on the line.
Remember: it doesn’t matter where the financial information was compromised. If it can be traced back to the merchant, they will shoulder the majority of the blame regardless.
2. Payment Processing Pitfalls
Payment processing may seem like a daunting task for some merchants, but there are a number of alternatives to help remove some of this burden. Nevertheless, nothing will completely remove a merchant’s PCI DSS responsibilities. Any merchant who accepts payments inherently accepts all liabilities, and therefore must follow industry standards.
If a third party provides payment processing services or comes into contact with cardholder data at any time, that third party must also ensure that they comply with all relevant PCI requirements. And even if your business has taken the proper steps, you must still make sure that any vendor you work with is compliant as well. Even touch-free transactions completed through PayPal or other eWallets are still subject to data collection legislature and requirements. As a merchant, it is important to request proof of certification from any third party in the form of an Attestation Of Compliance (AOC) that ensures those services have been assessed and are PCI compliant.
3. Addressing Security Risks
PCI compliance can help avoid some of the most common eCommerce security vulnerabilities. Many security risks merchants face are not new, and it is often the easy-to-fix exploits—preventable through PCI compliance—that cause the majority of issues.
Most importantly, meeting the quarterly vulnerability scanning requirement will help root out weaknesses before they land your business in the hot seat (or the headlines). Approved Scanning Vendors (ASVs) are security providers that have been validated by the PCI Council to preform vulnerability scans for merchants and other service providers. Currently, there are over 130 ASVs, including McAfee.
By performing these frequent website checks, you can avoid falling victim to issues like:
- Cross-Site Scripting
- Unencrypted Sensitive Forms
- SSL/TLS Protocol Initialization-Info Disclosure Vulnerabilities
- Improper Error Handling
- SSL Self-Signed Certificates
For merchants, PCI compliance must go beyond completing SAQs and checking boxes. If you operate an online business that accepts credit or debit card payments, keeping up with these requirements could mean the difference between success and failure. New vulnerabilities are being discovered all of the time, but by following the PCI DSS, merchants can continue to keep business and customer data safe. The key is to establish efficient, ongoing compliance processes that ideally become part of your business practices in the long run.