When diving into the fast growing E-commerce market space, one of the most important avenues to consider from a merchant’s standpoint is securing the cardholder’s data.

The questions surrounding the setup of your back-end system can be overwhelming and daunting – What are my options to make sure I adhere to PCI standards? Is my system compliant? What measures should be taken to prevent a data breach? Is it necessary to house the information or outsource the storage of payment data?

The responsibility to manage your card payment environment is delicate and any breaches in PCI compliance could lead to potential negative fallback from your customer’s perception of your company. This could lead to diminished sales, fraud losses, higher subsequent costs of compliance, as well as other very expensive costs of remediation such as credit monitoring to all impacted customers, damaged systems, cash paid out, and damage to your brand name.

As Eric Page, Senior Director of Compliance and Controls at Airgas says:

“[PCI Compliance] is a company wide effort. When we look at PCI, the cost is not necessarily just what we pay to vendors [or] how much the salaries are of the people managing PCI. It’s the intrinsic cost across the organization to make sure that everybody knows what PCI rules are, how PCI affects the organization, how critical it is to maintaining our internal control, and how critical it is to make sure our executive officers can sleep at night.”

- Eric Page, Senior Director of Compliance and Controls at Airgas

What is PCI Compliance?

In 2004, the main players in the payment card industry established several security requirements called the PCI (Payment Card Industry) standards. They did so in order to address the ever growing increase in payment card fraud. The goal was to harmonize the security measures between different parties in the payment card realm. Each party is responsible for ensuring the rules are properly applied by its members. PCI Security Standards have 3 different components, which include all parties involved in the payment card chain:

- PCI PTS: PIN Transaction Security applies to payment card terminal manufacturers

- PCI PA-DSS: Payment Application Data Security Standard applies to developers

- PCI DSS: Data Security Standard applies to merchants and processors

The standards continue to evolve and update in order to keep up with the ever changing landscape of technology and fraud. “You have to deal with the PCI Council and when they change the regulation and you have to mirror that with your requirements on top,” says Eric Page, “so it does become a challenge not only to keep up with the latest risks but also keep up with the latest regulation and latest technology—we try to keep pace with all of that.”

What are the requirements of PCI Compliance?

For the purposes of this conversation, only the Data Security Standards (DSS) requirements that apply to merchants and processors are highlighted below. There are 12 requirements broken down into six different goals.

These 12 requirements are only the minimum in order to be in compliance with the Payment Card Industry’s Data Security Standards. These requirements alone do not guarantee against data breaches, and depending on your business you should exceed what is expected and treat your customer’s data with the utmost safety. At Airgas, Eric Page and his team tighten things up far more than standards require. “Just because there are PCI standards out there, doesn’t mean that is our exact guidebook; we use those as minimum standards, and above and beyond those in certain areas we make sure that we reduce our risk and really address those concerns through additional controls, additional security measures, as well as configuration.”

What are my PCI Compliance obligations and what options do I have?

PCI compliance has a far reach in all avenues of payments and fortunately, the burden of data security does not have to fall solely on the merchant’s shoulders. There are two options for PCI compliance: outsource to a specialized vendor or accept the burden and internally house the payment card data securely.

One avenue for payment processing is to eliminate the need for the customer’s payment method from passing thru the merchant’s site, such as utilizing PayPal, Amazon, Square, or other providers to bear the burden of payment data security. By adding these providers as a form of collection of payment, the merchant reduces their risk and thereby reduces their PCI compliance obligations. This is exactly how Eric Page discussed Airgas’ approach to their compliance.........