I remember hearing it on the radio; another major retail store was targeted by hackers, a store I had shopped not two weeks prior. That sinking feeling struck, the one that calls me to drop everything in order to familiarize myself with my credit card company’s phone bank to cancel my cards.
New brawny standards protect us against such events and the incentive for a company to comply is tremendous, but tough standards are not great if they are tough to reach. So we ask; is the arsenal guarding us from online theft too hard to grasp for the average online business?
That arsenal is called PCI DSS (Payment Card Industry Data Security Standard) Compliance, and is an overarching security standard defined by the Payment Card Industry Security Standards Council to establish common processes and precautions for handling, processing, storing and transmitting credit card data. It was created with both a carrot and a stick to prevent data security breaches like the ones we have seen with companies like TJX, Bank of America, Citigroup, BJ’s Wholesale Club, Hotels.com, LexisNexis, Polo Ralph Lauren and Wachovia.
These company names are huge, which makes them bigger targets. Still, the bulls-eye is on any of us who take credit cards online, and there is no company that wants to face customers with the bad news that they have been compromised.
The “carrot” alone is the personal satisfaction that your customers’ card data is buttoned up. Further allurement is the safe harbor provided by credit card companies from penalties and fines to merchants who are compliant.
The “stick,” however, comes with the threat of removal of your ability to process credit cards. Punitive fines of up to $500,000 per incident or $90-300 per stolen record will also inspire a business to comply.
Still, the price-tag for compliance is high and they even make
calculators to figure it all out. This is one article that helps define the cost this way:
Level 1 Merchant:
Initial scope – $250,000
Becoming compliant – $550,000
Annual cost – $250,000
Level 2 Merchant:
Initial scope – $125,000
Becoming compliant – $260,000
Annual Cost – $100,000
Level 3 and 4 Merchants:
Initial scope – $50,000
Becoming compliant – $81,000
Annual cost – $35,000
Developers have their work cut out for them as they must undergo the lengthy and costly process of validating their application. And all this will not get any less burdensome as the Security Standards Council releases a new version of the PCI DSS about every 2 years. Recurring audits, and additional/new hardware requirements are all stifling to the average businessman.
But there is good news. By working with an approved Gateway that doesn’t require your server to store, process, or transmit card data you can save the hassle. These allow safe payment processing and reduce the regulatory scope by sending crucial data to their servers instead of yours.
There is also safety in choosing a cart that is widely accepted as compliant, like Shopify and BigCommerce; As opposed to a custom cart solution where compliance must be created from scratch.
Authorize.net, Paypal or Braintree provide off-your-server processing, and of these we have found Braintree to provide the most convenience because the data is not stored on your hosted server – even in memory. Unlike Paypal (basic or express checkout), it also allows shoppers to remain on your site.
So to answer our initial question; PCI Compliance is too costly for the average businessman to comply, but we are fortunate to live in a free market that sees bureaucracy as an opportunity. Companies like Braintree may have been created with profit in mind, but they are offering a service that gives us carrots and saves us from the stick.