Was online fraud considered a significant problem prior to the pandemic? Absolutely. In fact, some reports show that as much as 90% of log-in traffic on eCommerce sites in 2018 was fraudulent. But now, it runs rampant as a direct effect of increased online activity due to the COVID-19 pandemic.
One of the most common forms of online fraud that’s seen a significant increase is a cyber crime called “skimming”. In fact, the incidence of online skimming increased by 20% during March 2020, the first month of lockdown and increased online activity.
With online credit card skimming on the rise, PCI Compliance and data security are more important than ever.
The world made drastic changes to their shopping habits last year as a direct result of the COVID-19 crisis. Because of various lockdowns, people are working and shopping from home more than ever before. If you haven't thought much about the security of payment data and adhering to PCI Compliance rules, now is the time.
As a direct result of society’s more digital lifestyle, there’s been a serious uptick in online fraud and cyber attacks. Fraudsters wasted no time exploiting the shift and merchants’ weaknesses in security. One of the best ways to combat fraud is to address those weaknesses first thing by maintaining PCI Compliance.
On the blog, we write about managing eCommerce fraud often. In our article, How To Manage Fraud In An Ecommerce World, we talked about ways merchants could increase their fraud-fighting strategies. But one of the easiest places to start is by doing and maintaining your PCI compliance.
Therefore, since it’s the best first step, today’s article will explain what PCI Compliance is and why it’s important. In addition, we’ll break down the security standards merchants need to follow and lay out the best way to become PCI Compliant.
Let’s start by learning what PCI Compliance is, what it stands for, and what it means for merchants.
To understand what PCI DSS Compliance is, we first need to understand who the PCI is, and what they do.
PCI stands for Payment Card Industry and PCI SSC refers to the PCI Security Standards Council. PCI SCC is a global organization that “maintains, evolves, and promotes Payment Card Industry standards for the safety of cardholder data”. The PCI SSC’s goal is to help merchants understand and implement standards for security policies in their organizations.
To do this, they created a complete set of standards for security in payment transactions. This set of security standards is referred to as PCI DSS–Data Security Standards. They set the technical and operational requirements for merchants who accept credit card payments.
The PCI Security Standards Council established the Standards to help protect payment systems from breaches and theft of cardholder data. Therefore, PCI DSS Compliance is adhering to those set standards and attesting to such to the PCI each year.
Everyone who accepts credit cards is vulnerable to fraud, and maintaining PCI Compliance is the first line of defense. Without adhering to increased security standards, businesses and their customers are vulnerable to cyber fraud attacks.
Fraudsters are opportunists. They go where the money goes and will exploit any situation that represents itself. With our recent switch to remote working and an increase in online shopping, they found the perfect situation.
One of the best examples of this is the recent increase in online skimming. Over just one month, since stay at home orders began in March, there was a marked increase in credit card skimming on eCommerce websites.
This is a type of attack where criminals infect eCommerce websites with malicious code. The code then “skims” credit card information during the payment transaction. This gives the fraudster all the information they need. They have access to the customer’s personal information such as name, address, phone number, and email address. It will also skim all payment information. It grabs the card number and security code as well as login and password. Most of the time, fraudsters only have certain pieces of information, but there's always a missing piece. But with skimming, they get everything. That is why this attack is so dangerous.
But it's also dangerous for another reason: it's very hard to detect. And it’s not just eCommerce sites that are targeted. Often, cyber criminals embed the malicious code into third-party software. Merchants may not even realize the threat they take on from the third-party software company.
Everyone who accepts credit card payments.
There is no federal law in place requiring merchants to maintain compliance with the PCI DSS. But there are a few states that have written PCI compliance into their state laws for doing business in that state. However, compliance with PCI Data Security Standards is required by all major card brands. So, if you accept credit cards, you must be PCI DSS compliant.
According to the major card brands “everyone storing, processing or transmitting cardholder information is required to follow the Payment Card Industry Data Security Standard (PCI DSS)”.
Don’t think you can fly under the radar just because you are small. Small businesses often think they aren’t a target for cybercriminals. But they’re actually the most targeted of all. Especially small businesses that don’t have effective security protocols in place.
Large businesses and corporations often have a larger staff and even whole IT departments to handle security. But small business owners rarely have the personnel or resources. And this last year was especially tough with the limitations of the Covid shut orders.
Fraudsters target small businesses more often specifically because of that reason. According to a recent Verizon data breach report, cyber criminals target small businesses the most. Unfortunately, 43%, the greatest share of all cyberattacks, are aimed at small businesses.
The PCI Security Standards Council states combating fraud begins with an awareness of the threat. Then taking the best approach to mitigating the threat by creating layered security measures. This includes constant updates of the latest security standards, along with regular monitoring and patching of software.
PCI-DSS “consists of 12 basic requirements grouped in 6 categories for establishing and maintaining a reliable and secure payment processing environment.”
The PCI data security council has created 6 “milestones” or categories of data security. The 6 milestones contain a total of 12 PCI DSS requirements, including sub-requirements, that must be completed to be considered PCI compliant.
The first and most important step is to make sure your merchant service provider is security-minded. They should provide you with a solution that adheres to PCI DSS requirements. Our processing solutions and secure gateway are both 100% PCI Compliant. This way, many data security requirements are automatically covered with your secure payment solution.
Of course, there are additional security measures on the merchant’s end that also must be adhered to. But having security requirements built into the solution takes a lot of headache out of maintaining the annual PCI Compliance.
The PCI Security Standards Council created four separate compliance levels based on the number of transactions a merchant processes. Level 4 is the lowest security level and includes all businesses with less than 20k transactions annually. Therefore, any business that processes a credit card transaction is a Level 4 business. Alternately, Level 1 is the highest security level and includes businesses with over 6 million transactions.
Therefore, merchants must find out which Security Level their business falls in to make sure they comply with the correct standards. Once you determine your business’s compliance level, you can complete the steps necessary to become compliant.
For most businesses, this will include:
The PCI Self Assessment Questionnaire (SAQ) will ask questions based on the 12 requirements (and their sub-requirements). This helps to determine if your business is set up to comply with the standards. The questions are meant to help merchants in self-evaluating their compliance with the PCI DSS.
Again, your merchant account provider’s secure solution is equipped with almost all of the 12 data security requirements. Merchants fill out the questionnaire to make sure their security protocols adhere to the standards.
Every quarter, merchants must conduct an external vulnerability security scan. The scan performs a comprehensive analysis of your system to reveal any points of vulnerability. The results provide insights into the security of critical information.
Keep in mind your scan must be with a third party scanning vendor that is approved by the PCI Security Standards Council.
PCI Compliance requires that this is done through an Approved Scanning Vendor (ASV) to validate adherence with the external scanning requirements.
The PCI SSC maintains a complete list of approved vendors for your convenience here.
Lastly, merchants must fill out an Attestation of Compliance or AOC. This is the form used to attest to the results of your PCI DSS assessment. It will validate to the PCI council that you have complied with all steps for PCI Compliance for E-Commerce Stores.
Once merchants have completed the SAQ and filled out the Attestation of Compliance, they must submit their forms.
Merchants submit the SAQ and AOC along with quarterly scan reports to their acquiring bank and the card brands.
At MonerePay, security is a priority. And so is the success of our merchants. It’s important to us that our merchants take security seriously, too. The best way to do that is to follow PCI DSS and to complete your annual PCI Compliance.
While PCI Compliance is an annual requirement, risk management is an ongoing process. The risk of data compromise affects your whole organization, regardless of size. In fact, not only do your finances take a hit if you experience a breach, but so does your reputation.
For this reason, we provide full support to help make the process as painless as possible. Our gateway is a PCI Level 1 gateway. This security level meets and exceeds PCI’s stringent security standards. This is one way we help make meeting your PCI Compliance requirements easier from the start.
If you have questions about data security or how to maintain PCI Compliance, call us. We are always here to support you, whatever you need.