Retailers must protect customers’ card data from hackers who try to snatch payment details, and following best practices to ensure security requires adhering to the regulations established by the PCI SSC, a global payments industry forum. The panel’s standards apply to all entities that accept credit or debit card payments and are intended to ensure that these organizations are working to reduce their risks of security breaches and to minimize the damage of attacks that slip through their defenses.
Sellers that fail to abide by these requirements could see fees or be disqualified from accepting card payments altogether, meaning following PCI standards is critical for businesses’ health as well as customers’ safety. Maintaining compliance can be tricky for merchants, however, as they may struggle to comprehend all aspects of these rules or find cost-effective ways to adhere to them.
This month’s Deep Dive examines the challenges sellers face in becoming — and staying — PCI compliant as well as how payment orchestration platforms can simplify this task.
Customers’ data is transmitted to various parties when their cards are used at checkout and many hackers seek to compromise these communication flows to steal details. Transaction information is sent to acquiring and issuing financial institutions (FIs) so consumers’ card data can be verified and their purchases can be approved, with the funds then being transmitted to merchants. Hackers often try to intercept the data as it travels between entities, attempting to breach retailers’ or their payment providers’ systems to obtain stored cardholder details. PCI DSS is intended to help combat this by instructing merchants on safeguarding the transactional steps in which they are involved.
PCI conducts regular security scans to ensure that merchants are keeping up with the standard, and it also requires retailers to submit reports about their compliance efforts. The reports can contain details about merchants’ network segmentation approaches, the hardware and software they utilize when handling cardholder information, the third-party payment app providers with which they engage and more. The regulations can be numerous, however, with PCI DSS including 246 nonwaivable requirements.
Merchants that fail to abide by even one of these rules are considered noncompliant and recently published data found that the number of sellers failing to keep up with PCI obligations is rising. Only 26 percent of small business-focused merchant services providers in a late 2019 survey reported a PCI compliance rate of 60 percent or more for their merchant portfolios. This is a sharp decline from 2018, when 42 percent of such providers said the same.
Respondents noted that several factors likely contributed to the recent decline in PCI adherence. Fifty percent said sellers that had been compliant failed to renew their validation annually as required while 10 percent attributed merchants’ declining compliance rates to obligations becoming more complicated or numerous. Some firms may also simply wish to avoid the cost and distraction of conducting regular PCI audits.
Orchestrating A Solution
Lackluster PCI compliance brings unnecessary risks to the payments landscape, but partnerships and technological support could address this problem. Nearly 40 percent of merchant services providers said they seek to help their clients adhere to PCI standards by offering “technology services to simplify the compliance process,” for example. These providers could also partner with PCI compliance solutions providers to deliver end-to-end encryption support, managed firewall services and other tools to their sellers.
Merchants may also look to payments orchestration platforms to help them manage compliance needs. Retailers already turn to these one-stop solutions to connect with different payment gateways and tokenize their card data. These solutions reduce PCI scope by preventing payments data from touching their infrastructures. Payments orchestration providers can shoulder many PCI compliance responsibilities by sparing merchants from storing, processing and receiving sensitive card data and thus from having to abide by the associated security standards. This minimizes retailers’ involvement with card details and ultimately reduces the number of PCI compliance obligations to which they must adhere.
Data security compliance is a moving target as PCI continues to update its standards to stay ahead of fraudsters. PCI is again actively exploring ways to refresh its existing requirements and is expected to debut a new version of its standards in 2021. This continued advancement makes it all the more important for sellers to put strong compliance strategies in place. Acting early to shore up defenses can be essential to thwarting fraudsters and keeping customers’ trust.