What merchants need to know about PCI DSS and how to protect themselves against misuse and attacks.
"After founding our company, we need to familiarize ourselves with a variety of new topics. One of them is security and PCI DSS. What do I need to know about it as a merchant?"
Peter N., Retailer with an online shop in Hannover
Security plays a central role in all payment transactions, whether stationary or mobile, in e-commerce, in stores or at the customer's premises. Of course, you have to be able to rely on transactions being transmitted successfully and payments being processed reliably. It is important that unauthorized persons do not gain access to customer or merchant data - especially with credit cards, but also beyond that.
To prevent payment defaults, credit card misuse, and data theft, there exists a globally recognized security standard established by leading credit card organizations known as PCI DSS – Payment Card Industry Data Security Standard. This standard serves as a framework for implementing robust security measures and protocols to safeguard payment card data and mitigate risks associated with unauthorized access and fraudulent activities.
"You could also call PCI DSS the 'security MOT in data traffic' for card payments," says Daniela C., Credit Risk and Fraud Prevention Expert at Nexi. The standards are developed and managed by the PCI Security Standards Council, an interest forum of the leading card organizations and interested industry groups.
"The security, availability and integrity of data and IT systems are critical success factors for companies, especially with the ongoing development of the technical environment. Your own 'data treasure' must be protected against theft, manipulation and misuse in order to avoid payment defaults, liability risks and damage to the company's image, for example," says the expert.
In principle, every company that accepts, stores, processes or transmits credit card data is obliged to comply with the security requirements of the PCI DSS. This applies to Concardis as well as to you as an online retailer, store owner, hotelier or restaurateur and to all your service providers who come into contact with card data.
Protection against cybercrime and safeguarding reputation.
Those who comply with the standards protect themselves and their company as far as possible against misuse or loss of card and company data, as well as against hacker attacks, cybercrime and attacks "from within".
Those who do not comply with the standards must expect claims for damages and the risk of legal action, as well as high fines for breaching security and/or data protection requirements or for violating the rules of the card organizations. Reputational damage and the associated loss of trust on the part of your customers can also have serious consequences for your business.
"It is important to know that you can largely protect your company from the risks and damage of a security incident with proof of compliance with the PCI DSS standard and also largely fulfill legal data protection guidelines.
"The requirements for compliance encompass technical and operational components in processing card payments. These requirements include setting up and maintaining internal systems, managing access rights, as well as verifying the PCI compliance of your involved service providers (PCI DSS: 12 Security Requirements for Download). They form the security foundation for your company," explains Daniela C., Expert in Credit Risk and Fraud Prevention, elaborating further:
"From a liability and regulatory perspective, it is crucial for businesses to ensure data security and comply with privacy laws. However, ultimately, as a merchant, it should be even more imperative for you to secure your trade secrets and data. Therefore, we advise you to meet the required standards and regularly provide evidence, for instance, through the PCI DSS Self-Assessment Questionnaire (SAQ). We are here to support you in this endeavor."
Self-certification for your company
Our certification partner usd AG and Nexi have developed an information platform to guide you through the self-certification process.
"As a Concardis customer, you can check whether you meet the PCI requirements, obtain information and carry out self-verification. You then also have the opportunity to advertise with the 'PCI DSS approved seal' in connection with your company in order to gain the trust of your customers," Daniela C. continues.
If you need help with self-verification, please contact us.
Requirements at a Glance
The requirements of PCI DSS can be broadly categorized into three main areas:
1. Access Control and Restriction: Merchants must restrict access to cardholder data. This is achieved, for example, by ensuring that only individuals within the company who require access to relevant data can obtain it, following the "Need-to-Know" principle. Additionally, there must be the capability to track and monitor accesses to network resources and cardholder data, such as by assigning unique identifiers to all individuals with computer access.
2. Software Security: Merchants must ensure the establishment and maintenance of firewall configurations to protect data. Additionally, they are responsible for the encrypted transmission of sensitive information, such as cardholder data, over public networks. The use and regular updating of antivirus programs are also mandatory.
3. Security in Handling: PCI DSS requires a generally secure approach to handling card data. Merchants must always ensure the use of secure systems and applications, as well as their regular assessment. Additionally, the use of default system passwords or security parameters is strictly prohibited.
Learn more about PCI with a special focus on card security for hotels (Brochure).
In addition to PCI DSS verification, you and your employees can contribute to preventing data hacking, card misuse, and fraud.
If you have any further questions on this topic or any other concerns, please do not hesitate to contact us by phone. We look forward to hearing from you!