When diving into the fast growing E-commerce market space, one of the most important avenues to consider from a merchant’s standpoint is securing the cardholder’s data.
The questions surrounding the setup of your back-end system can be overwhelming and daunting – What are my options to make sure I adhere to PCI standards? Is my system compliant? What measures should be taken to prevent a data breach? Is it necessary to house the information or outsource the storage of payment data?
The responsibility to manage your card payment environment is delicate and any breaches in PCI compliance could lead to potential negative fallback from your customer’s perception of your company. This could lead to diminished sales, fraud losses, higher subsequent costs of compliance, as well as other very expensive costs of remediation such as credit monitoring to all impacted customers, damaged systems, cash paid out, and damage to your brand name.
As Eric Page, Senior Director of Compliance and Controls at Airgas says:
“[PCI Compliance] is a company wide effort. When we look at PCI, the cost is not necessarily just what we pay to vendors [or] how much the salaries are of the people managing PCI. It’s the intrinsic cost across the organization to make sure that everybody knows what PCI rules are, how PCI affects the organization, how critical it is to maintaining our internal control, and how critical it is to make sure our executive officers can sleep at night.”
Eric Page, Senior Director of Compliance and Controls at Airgas
What is PCI Compliance?
In 2004, the main players in the payment card industry established several security requirements called the PCI (Payment Card Industry) standards. They did so in order to address the ever growing increase in payment card fraud. The goal was to harmonize the security measures between different parties in the payment card realm. Each party is responsible for ensuring the rules are properly applied by its members.
PCI Security Standards have 3 different components, which include all parties involved in the payment card chain:
- PCI PTS: PIN Transaction Security applies to payment card terminal manufacturers
- PCI PA-DSS: Payment Application Data Security Standard applies to developers
- PCI DSS: Data Security Standard applies to merchants and processors
The standards continue to evolve and update in order to keep up with the ever changing landscape of technology and fraud. “You have to deal with the PCI Council and when they change the regulation and you have to mirror that with your requirements on top,” says Eric Page, “so it does become a challenge not only to keep up with the latest risks but also keep up with the latest regulation and latest technology—we try to keep pace with all of that.”
What are the requirements of PCI Compliance?
For the purposes of this conversation, only the Data Security Standards (DSS) requirements that apply to merchants and processors are highlighted below. There are 12 requirements broken down into six different goals.
These 12 requirements are only the minimum in order to be in compliance with the Payment Card Industry’s Data Security Standards. These requirements alone do not guarantee against data breaches, and depending on your business you should exceed what is expected and treat your customer’s data with the utmost safety. At Airgas, Eric Page and his team tighten things up far more than standards require. “Just because there are PCI standards out there, doesn’t mean that is our exact guidebook; we use those as minimum standards, and above and beyond those in certain areas we make sure that we reduce our risk and really address those concerns through additional controls, additional security measures, as well as configuration.”
What are my PCI Compliance obligations and what options do I have?
PCI compliance has a far reach in all avenues of payments and fortunately, the burden of data security does not have to fall solely on the merchant’s shoulders. There are two options for PCI compliance: outsource to a specialized vendor or accept the burden and internally house the payment card data securely.
One avenue for payment processing is to eliminate the need for the customer’s payment method from passing thru the merchant’s site, such as utilizing PayPal, Amazon, Square, or other providers to bear the burden of payment data security. By adding these providers as a form of collection of payment, the merchant reduces their risk and thereby reduces their PCI compliance obligations. This is exactly how Eric Page discussed Airgas’ approach to their compliance.
“As our business changes we have to keep up with vulnerabilities to our existing business. We bring in experts that tell us what the new vulnerabilities are. So that is key—we have partnerships outside of Airgas, and the folks inside of Airgas that have intense knowledge of how our networks are set up, where payment card data flows through. So for us we look at the different payment channels. We understand our global risks, we seek outside expertise to analyze those risks, and then internally we ask ourselves where our payment card data is flowing through our systems and try to remove it as much as possible. We try to tokenize it as soon as we get it and try to move it outside of our systems so that we don’t have any actual credit card data in our systems. There has been an evolution for a hands off approach to credit card data, and that is to let the experts handle it, because they know how to encrypt it and keep it safe, use the data only when necessary, and keep that data and information out of the hands of bad actors.”
Eric Page, Senior Director of Compliance and Controls at Airgas
However, some merchants prefer to have a DIY approach and house the card data internally. PCI compliance would need to be examined from the beginning of the payment transaction to the storage of the card data. A full blown assessment of the credit card data flow would need to be mapped out followed by the phases needed to secure the information. This would consist of testing the storage of the data on the merchant’s internal network, conducting random penetration tests, and sampling the data for any potential breaches. A partnership across internal departments from Treasury to IT would be needed along with input from your providers to ensure compatibility with your internal systems/networks.
Regardless of the approach, the degree and frequency to which your systems must be assessed depend on which tier or level your business falls into. These levels are largely based on the amount of payment card transactions your business processes annually.
As merchants move up the compliance tiers, their obligations and responsibilities increase. In order to better meet the requirements merchants should not store any customer data when it is not necessary to do so, segment networks and separate systems that store, process, and transmit cardholder data from those that do not, tokenize transactions, and/or equip a point-to-point encryption solution. Utilizing these recommendations, merchants can drastically decrease their PCI DSS scope.
An annual self-assessment questionnaire (SAQ) is one of the requirements that all merchants must complete, except for those that qualify as level 1. These merchants instead are subject to an annual compliance report completed by a qualified security assessor or internal auditor. The majority of merchants that qualify in the other 3 tiers will all have a questionnaire to be completed by a dedicated employee(s) of the merchant. These questionnaires are meant to validate and document the results of the merchant’s own PCI DSS self-assessment and detail their level of compliance. The specific questionnaire that each merchant completes will vary greatly depending on the merchant’s business.
What channel are my payments accepted and how does that affect my PCI compliance?
Whether your payment card transactions are taken in person, over the phone, or online, they are all subject to the same 6 goals and 12 requirements of PCI DSS. Although the requirements are always the same, the stakeholders and systems involved in the transaction flow will surely differ. Which is why the questionnaires meant to document merchant’s level of compliance differ based on your business. As the merchant, it is important to understand all of the employees, stakeholders, systems, and networks your payment card transactions flow through for all of your different payment channels. Airgas accepts payment card transactions over all three channels so Eric Page needs to ensure he has a complete understanding of the transaction life cycle from start to finish, and then ensure his understanding is passed on to other relevant parties.
“We have a telesales environment where account managers process telephone orders. Those account managers need to know how to safely handle credit card transactions just as much as the person at the store location that actually receives a credit card and swipes it. So all of those people have to receive information in different ways and we have to train them differently. You can’t train someone sitting at a desk with a headset on all day the same way as someone at a physical location. The stakeholder depends on how we have to approach it. Our role with PCI is to make sure we’re aware of who touches it, what’s our risk, making sure the controls are in place, then most importantly, testing it to make sure that what we say we are doing is what we are doing.”
Eric Page, Senior Director of Compliance and Controls at Airgas
Other merchants may not have been used to multi-channel payment acceptance, but this pandemic has forced many merchants to implement an additional payment channel like e-commerce or even develop an omnichannel solution. Additionally, especially with an omnichannel solution, creating customer profiles aimed at increasing customer loyalty with faster and improved checkout experiences is quickly becoming the standard. The only way to maintain customer specific profiles is by collecting and storing customer information.
Although collecting and storing this information increases risk, exposure, and your PCI DSS scope, there are still ways to do this safely. In addition to the 12 PCI DSS requirements, merchants can utilize multi-pay tokens that encrypt customer cardholder data at the time of the transaction. That token will stay with its respective cardholder for the life of the card and can be used across the merchant’s entire payments platform. Multi-pay tokens present a tremendous opportunity for merchants to meet customer’s checkout experience expectations, while at the same time keeping their sensitive data safe and secure.
In conclusion, PCI compliance is not a topic that any merchant can afford to ignore. Increased regulations and obligations inherently make doing business more difficult, but these security standards were born out of necessity and are meant to protect both the customer and the merchant. Obtaining compliance is not an easy task and it’s never completely achieved as technology and standards progress and change.
It’s important to identify employees within your company that can be champions of the compliance process, while also remembering that there are industry experts and other resources available. These resources can help make the process as easy as possible and reduce the burden placed upon the merchant. Utilizing these resources are key to maintain compliance with the data security standards and above that, ensure your customer’s data is properly safeguarded. Airgas has the employees and internal processes aimed at giving PCI compliance the attention it deserves, but what sets Airgas apart is their ability to utilize the resources within the industry. These items together make Airgas a pillar for success and an excellent merchant to model after.
Justin DiCioccio & Sara Moren
A special report on the cash management & payment trends that will transform your treasury department in 2022
The growth and vitality of the payments industry has fascinated all observers during the past two years of the pandemic. Now with recent geopolitical developments arising from the Russia-Ukraine conflict, it is being tested again.
Our new publication analyzes the most prevalent trends and innovations in the treasury world today.
Included in this publication:
- The Global Resurgence of QR Codes
- Choosing the Right Payment Terminal in an Ever-Changing Environment
- The Rise of Buy Now, Pay Later
- PCI Compliance in an E-Commerce World
- Where Do Banks Stand in the Race for Digital?
- Virtual Accounts, Which Companies Should Implement Them?
- The Future & Alternatives to SWIFT GPI
- Global Digitization in the Depository Space
- “Switching Banks Was the Right Decision”: An Interview with Olivier Bouillaud from Albéa
Download the full publication