<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1730738190524304&amp;ev=PageView&amp;noscript=1">
blog_banner_min.png

FastSpring Blog

The source for best practices in e-commerce, knowledge to increase sales, and FastSpring updates.

The Hidden Challenges of Proper PCI Compliance

Posted by Jay Hall on Sep 8, 2017 1:36:00 PM

The Hidden Challenges of Proper PCI Compliance (1).png

Crime. That’s the main reason for PCI - payment card industry - standards. Thieves target credit cards, and as a result every business that deals with them must conform to PCI rules about accepting, transmitting, and storing data.

The basic standards are fairly easy to understand, but maintaining full compliance can be challenging. And if you don’t get it right, your company is subject to fines, termination of credit card acceptance, lost sales, legal costs, and an uncertain future in e-commerce.

Here are some things to keep in mind.

SEE ALSO: Improve Your Payment Success Rates by Asking These 3 Questions

Merchant Levels

PCI compliance involves being assigned a merchant level, which is based on transaction volume. Levels have different requirements for ongoing compliance. Visa’s merchant validation levels range from Level One - more than 6 million transactions per year - to Level Four - fewer than 20,000. 

The tricky part is that your company can be escalated to a higher level based on factors other than volume. The primary reason for escalation is a breach that resulted in an account data compromise. So if you experience a data breach, get ready. You’ll soon face much stricter compliance standards, even if you always do fewer than 20,000 transactions a year.

Multiple E-Commerce Sites

What if you run more than one site and one e-commerce company? Business owners often wonder whether their PCI level is determined by one site/service/company, or all of their businesses as a group. Don’t assume that each site falls under the lowest level of validation, just because you operate them separately.

It’s based on your taxpayer ID. So if you have everything under the umbrella of one company taxpayer ID, your PCI level will be based on the credit card volume associated with it: all of your operations’ transactions added together.

Compliance is a Moving Target

Another challenge is the ever-changing nature of validation. Just because your company was in full compliance last year, or last month, or even yesterday, doesn’t mean it is at this moment. Compliance is an ongoing process.

This was illustrated in the case of Heartland Payment Systems (HPS), which gained world-wide notoriety for a data breach that affected PCI compliance. HPS paid an outside firm to guarantee remaining in full PCI compliance at all times. Unbeknownst to HPS or the outside vendor, malware infected its corporate network and made a leap to its payment processing network.

HPS was immediately delisted by Visa and Mastercard, saw its stock fall 78%, and lost 5,000 merchants. Its total loss was $170 million.

In the end, HPS worked with the regulatory authority to tighten its security processes. The company developed an incident response plan based on PCI compliance. And good news: Albert Gonzalez, leader of the hackers responsible for the breach, received the longest sentence ever given for cybercrime.

No Third-Party Guarantees

As the example above illustrates, you can’t rely on any third-party vendor to guarantee meeting PCI compliance. It’s important to note that you also can’t shift blame to a third-party payment processor. You are ultimately responsible for your own company’s compliance.

SEE ALSO: Why an All-Inclusive Ecommerce Solution is Your Best Option

Failure is forever

Unfortunately, if you ever fall into noncompliance, it can affect your business forever. Not only will you be issued fines of $5,000 to $100,000 a month until the issue is resolved, you’ll also face additional fees from the payment brands for the life of your business. The fees are given as a penalty, and as a way to compensate card issuers for the risk of doing business with you.

Failing PCI compliance - particularly if it leads to card processing termination - can also affect your company’s credit rating, banking relationships, and loan eligibility. In fact, banks may charge you for the forensic research required to handle your account.

It also affects your reputation in the industry and your customers’ long-term view of the company. Avoid falling into PCI noncompliance by following the best payment practices in e-commerce. A full-stack ecommerce solution is the best way to stay compliant.  Click here for a free demo today!

Get A Demo

Topics: E-Commerce Insights

New Call-to-action
New Call-to-action
New Call-to-action
New Call-to-action

The Hidden Challenges of Proper PCI Compliance

Posted by Jay Hall on Sep 8, 2017 1:36:00 PM

The Hidden Challenges of Proper PCI Compliance (1).png

Crime. That’s the main reason for PCI - payment card industry - standards. Thieves target credit cards, and as a result every business that deals with them must conform to PCI rules about accepting, transmitting, and storing data.

The basic standards are fairly easy to understand, but maintaining full compliance can be challenging. And if you don’t get it right, your company is subject to fines, termination of credit card acceptance, lost sales, legal costs, and an uncertain future in e-commerce.

Here are some things to keep in mind.

SEE ALSO: Improve Your Payment Success Rates by Asking These 3 Questions

Merchant Levels

PCI compliance involves being assigned a merchant level, which is based on transaction volume. Levels have different requirements for ongoing compliance. Visa’s merchant validation levels range from Level One - more than 6 million transactions per year - to Level Four - fewer than 20,000. 

The tricky part is that your company can be escalated to a higher level based on factors other than volume. The primary reason for escalation is a breach that resulted in an account data compromise. So if you experience a data breach, get ready. You’ll soon face much stricter compliance standards, even if you always do fewer than 20,000 transactions a year.

Multiple E-Commerce Sites

What if you run more than one site and one e-commerce company? Business owners often wonder whether their PCI level is determined by one site/service/company, or all of their businesses as a group. Don’t assume that each site falls under the lowest level of validation, just because you operate them separately.

It’s based on your taxpayer ID. So if you have everything under the umbrella of one company taxpayer ID, your PCI level will be based on the credit card volume associated with it: all of your operations’ transactions added together.

Compliance is a Moving Target

Another challenge is the ever-changing nature of validation. Just because your company was in full compliance last year, or last month, or even yesterday, doesn’t mean it is at this moment. Compliance is an ongoing process.

This was illustrated in the case of Heartland Payment Systems (HPS), which gained world-wide notoriety for a data breach that affected PCI compliance. HPS paid an outside firm to guarantee remaining in full PCI compliance at all times. Unbeknownst to HPS or the outside vendor, malware infected its corporate network and made a leap to its payment processing network.

HPS was immediately delisted by Visa and Mastercard, saw its stock fall 78%, and lost 5,000 merchants. Its total loss was $170 million.

In the end, HPS worked with the regulatory authority to tighten its security processes. The company developed an incident response plan based on PCI compliance. And good news: Albert Gonzalez, leader of the hackers responsible for the breach, received the longest sentence ever given for cybercrime.

No Third-Party Guarantees

As the example above illustrates, you can’t rely on any third-party vendor to guarantee meeting PCI compliance. It’s important to note that you also can’t shift blame to a third-party payment processor. You are ultimately responsible for your own company’s compliance.

SEE ALSO: Why an All-Inclusive Ecommerce Solution is Your Best Option

Failure is forever

Unfortunately, if you ever fall into noncompliance, it can affect your business forever. Not only will you be issued fines of $5,000 to $100,000 a month until the issue is resolved, you’ll also face additional fees from the payment brands for the life of your business. The fees are given as a penalty, and as a way to compensate card issuers for the risk of doing business with you.

Failing PCI compliance - particularly if it leads to card processing termination - can also affect your company’s credit rating, banking relationships, and loan eligibility. In fact, banks may charge you for the forensic research required to handle your account.

It also affects your reputation in the industry and your customers’ long-term view of the company. Avoid falling into PCI noncompliance by following the best payment practices in e-commerce. A full-stack ecommerce solution is the best way to stay compliant.  Click here for a free demo today!

Get A Demo

Topics: E-Commerce Insights

Welcome to the FastSpring Blog 

FastSpring, a leading e-commerce and subscription management company, provides a robust set of features and services that enables digital goods companies to sell more of their products online. Over 2,500 companies utilize FastSpring to sell their software, SaaS, video games, and other digital products online to customers worldwide.

Subscribe to our email to to receive information about:

  • Marketing solutions
  • E-commerce best practices
  • Tips for increasing sales
  • FastSpring updates and release notes

Calculate Your Hidden Costs

See if you're investing in the right e-commerce solutions

Contact Our Award-winning Support Team