Easing Payment Card Industry compliance
Patrick Juan, Director of Solutions Consultants with Ingenico Enterprise Retail, offers his practical guidance on payments security best practice and navigating the payment card regulations.
Setting up a business can be a complex task, and knowing where to start when it comes to complying with the many rules and regulations the government and industries impose may seem daunting at first. If you are a merchant or utilising a payment system, you will need to become familiar with the Payment Card Industry Security Standards Council (PCI SSC) and the standards it requires merchants to uphold.
What is the payment card industry (PCI), and what standards do I need to be aware of?
The Payment Card Industry Security Standards Council (PCI SSC) defines a compliance framework for security that merchants must conform to in order to be allowed to safely and securely take card payments in their physical and digital stores. The level of compliance required by merchants depends on the total value of card transactions they process.
Additionally, as a merchant, you must manage your payments assets adequately, ensuring that you don't manage cardholder sensitive data such as the card number or CV2 numbers. In order to do this, you should employ a PCI Point to Point Encryption (P2PE) solution.
P2PE means that the card data is encrypted at source on the PIN pad and stays encrypted until it reaches a PCI Data Security Standards (DSS) environment, usually a PCI DSS compliant gateway. By using a compliant PCI P2PE solution, your PCI compliance burden is significantly reduced.
What are the benefits of PCI?
PCI compliance is part and parcel of a seamless, secure and reliable payments system, which is essential for all merchants and their businesses. After all, good security gives consumers peace of mind when going through the online checkout, and a seamless transaction process optimises their user experience too.
What do businesses need to do to ensure PCI compliance?
PCI standards evolve every three years and compliance must be maintained and reported on annually, so it’s important for you to stay informed of the latest requirements and how your business meets them.
If you are a larger merchant, you should work alongside Qualified Security Assessors (QSAs). These are specialist consultants that will ensure you uphold the 290 requirements defined by the PCI Council.
To meet these conditions, you may have to put in place additional security measures such as network scans, penetration tests and staff training, while ensuring your payment devices are also managed properly.
How do I avoid PCI non-compliance?
While non-compliance with these industry standards can result in fines and additional charges when processing card payments, these are easily avoided by coming to understand the PCI a little more or partnering with an expert who can take the task off your hands.
How can a payment gateway and Qualified Security Assessor simplify the PCI compliance task?
In-store and online payment gateways that uphold the highest level of security reduce the burden of meeting the PCI Council requirements. Gateway providers usually require you to complete a simple self-assessment questionnaire under the direction of a QSA. They give you peace of mind that your business is compliant without you having to spend time yourself going through each requirement.
Where can I find out more information about PCI compliance?
You can find more information about PCI compliance on the official PCI Security Standards Council website.
Patrick Juan is the Director of Solutions Consultants with Ingenico Enterprise Retail. He has worked in the payments industry for over 20 years, and for Ingenico as the Executive Solutions Lead across multi-country and multi-channel opportunities. Bringing his in-depth knowledge and experience with payments terminals, EMV and contactless payments methods, he has delivered solutions to retailers throughout the UK, Ireland and the Nordics, and is currently focusing on supporting all Ingenico Enterprise Retail global and strategic accounts.