“What is PCI?” is a question I get asked a lot. To break it down, Payment Card Industry Security Standards Council (PCI SSC) defines a compliance framework for security that merchants must comply with, in order to be allowed to take card payments in their physical and digital stores. Without PCI compliance, merchants will not find an acquirer to work with, and could be fined by the card schemes indirectly through the acquirers. The level of compliance required by merchants depends on the total value of card transactions they process.
PCI is complicated, and there’s all sorts of information merchants need to know. At Ingenico, we get asked questions about compliance regulations every day, so, to make life a bit easier, we’ve answered some of those here.
What type of PCI compliance does my business require?
It’s essential that merchants look out for PCI compliance from their payment providers, and there’s two primary standards that they should be aware of. These include PCI PIN Transaction Security (PCI PTS) for payment terminals, and PCI Data Security Standard (PCI DSS) for payment gateways in store and online. Additionally, merchants must manage their payments assets adequately, ensuring that it doesn’t manage cardholder sensitive data such as the card number or CV2 numbers.
To do this, merchants should employ a PCI Point to Point Encryption (P2PE) solution. This will ensure that the card data is encrypted at source on the PIN pad, and stays encrypted until it reaches a PCI DSS environment. Usually, this would be a PCI DSS compliant gateway. By using a compliant PCI P2PE solution, the merchant PCI compliance burden is significantly reduced.
What do I need to do to ensure PCI compliance?
Merchants must stay on top of PCI standards as they evolve every three years and must be reported on annually. Large merchants will need to work alongside specialist consultants called Qualified Security Assessors (QSAs) who ensure that merchants uphold the 290 requirements defined by the PCI Council. Merchants must put strategies in place to maintain these requirements, which include network scans, penetration tests and staff training, while ensuring their payment devices are also managed properly.
Non-compliance can result in fines and extra costs when processing card payments. More importantly, if the merchant does fall victim to a data breach exposing card holder’s sensitive data, the merchant may be liable to even bigger fines from the schemes or the Information Commissioner’s Office. At worst, we have seen some of the UK’s biggest retailers fined over £10 million.
How can Ingenico Enterprise Retail help merchants navigate PCI?
Ingenico Enterprise Retail payment gateways, both in store and online, have upheld the highest level of PCI DSS for many years. Our in-store payment gateway was one of the first to be fully PCI P2PE compliant. So, when a merchant uses an Ingenico P2PE solution, the burden reduces from meeting over 290 requirements to filling in a short self-assessment questionnaire under the direction of a QSA.
How else can merchants make sure their customers have a secure, yet swift payment experience?
Merchants can work alongside a provider that is PCI compliant and has the capacity to offer a reliable, fast and scalable platform. In 2019 alone, Ingenico payments gateways processed 7 billion transactions both in stores and online, for small, medium and large businesses. All our retail partners benefit from the peace of mind that their PCI compliance requirements are met no matter where our solution is in their payments cycle, as well as the security this provides. They also benefit from our ability to scale with them; the Ingenico platform can cope with several million transactions per day.
To learn more about PCI or to find out how your company can benefit from the same assurances, get in contact with Ingenico Enterprise Retail today at www.ingenico.com/omnichannel.