The most common question we at Cart32 receive about PCI compliance is “What is PCI Compliance, and how do I achieve it?” The Internet is chock-full of articles about the details of PCI Compliance and it’s requirements. I’d like to take just a minute and describe to you, a merchant, what PCI Compliance means.
Payment Card Industry Data Security Standards (PCI-DSS) Compliance is simply a formal set of rules and regulations for the self-governing of security related to credit cards and online transactions. These rules and regulations are created by an independent council in an effort to limit fraud, identity theft, and costs of business due to losses as well as protect customers. If the Payment Card Industry was not self-regulating it would fall under State, or more likely, Federal regulation much like HIPAA. The power to make or influence policies and regulations would fall further from the card brands (Visa, Mastercard, etc). This could lead to delays in updating security measures due to the gap between policy makers and those of us in the industry.
So now you understand why PCI exists on a more brass-tacks level. As a merchant, you have responsibilities to protect cardholder data for the aforementioned reasons. Failure to comply with the requirements means you are at risk of being fined for any loss of data. Before I go any further I want to make this very clear:
PCI Compliance deals only with the systems/devices which transmit, store, or process CARDHOLDER DATA.
The key, as a merchant, is to limit your exposure to Credit Card data. Think about it: if you’re doing online sales with an online credit card processor, why would you need to access credit card data at all? Most merchants do not need to ever see their customers’ cardholder data. As you add more access to Cardholder data (viewing orders, downloading databases, etc) you bring additional liability to yourself and your organization.
Businesses such as Cart32 exist to make being a PCI Compliant merchant easier. Our Cart checkout software and our Merchant services gateway are all PCI Compliant. We handle 99% of the PCI Compliance issues you’d normally face as a merchant by hosting the Cart32 and Gateway applications on our own servers. Cardholder data is transmitted to us, processed by our systems, and stored (if necessary) in our databases.
As a merchant using the services of a PCI Compliant cart and gateway provider your requirements are drastically reduced. You will need to fill out a self-assessment questionnaire. Depending on your merchant level (Google search: Visa Merchant Levels) you may need to have your website scanned by an Approved Scan Vendor (ASV). The reason behind this is that if your site is compromised the cardholder data could be redirected to an attacker.
Fear not! Yet again Cart32 has seen a need and taken strides to assist. Even our web hosting servers have been configured in such a way as to help your site remain safe from attacks. You’ll still need your questionnaire and (if required) ASV scans, but our additional security on the servers means you have even less chance of ever being compromised and facing fines!
Cart32 wants your business to succeed, period! We tailor our services to your needs, and we hope you choose us for your Cart and Merchant services needs. If you opt not to use our services, be sure to protect yourself by only doing business with Cart and Merchant service providers that are PCI Compliant.