A cautionary tale to online retailers
It came to our attention that banks are more frequently putting pressure on SME merchants with ecommerce websites to become PCI compliant.
In fact, several banks have “threatened” merchants with additional charges for failure to comply with the PCI DSS standards.
What shocked us the most is that these banks are referring customers to a paid-for “security” scanning service of the website in order to identify “threats” and “risks” even when there are some instances no need for PCI DSS scanning of their website!
A case study to demonstrate this issue will help here:
– Merchant has an ecommerce website and uses a payment service provider (e.g. SagePay, WorldPay, PayPal) to process online card transactions.
– Merchant’s bank gets in touch to “warn” them of pending charges should they not be able to prove PCI compliance on their ecommerce website
– Merchant’s bank recommends a 3rd party, paid-for, security scanning service provider to scan to enable PCI compliance to be achieved
– Merchant pays for security scan and then spends time trying to sort through results and reports to try and comply.
The primary problem with this scenario is that the merchant is using a PSP (Payment Service Provider) to handle all credit card transactions and details. This means that the merchant only has to ensure the PSP used is PCI compliant. i.e. the merchant’s website does not need to be PCI compliant as it does not handle card details.
(note: virtual terminal transactions still require regular internet connection scans)
The instruction from the bank and the security scanning company both failed to take this into account. This costs the merchant in time, worry and most importantly in money and ties them into a 10 monthly contract to a security scanning company’s service when it is not required.
Now, teclan take online security very seriously. Implementing the correct procedures to ensure maximum data security for card details is paramount, however knowing the correct procedures and processes required is the main hurdle for merchants.
NOTE: All of teclan’s ecommerce hosting platforms adhere to the most current PCI compliance requirements, however individual merchants may have to look to their own internal PC’s and network infrastructures as well – see below:
A quick PCI compliance sense check:
Do you…….
– … process card details yourself, in your place of work, on your local system/network?
If yes then you need to ensure that your local systems are compliant – check here for simply steps to do this
– … only use an online Payment Service Provider to handle all credit card transactions?
If yes then it is your responsibility to ensure that this PSP is PCI Compliant. If they are then you’re compliant! (view list of compliant PSP’s here)
– … process card details internally AND online?
If yes then you need follow the steps for both of the above.
The above checks are a simplified ready-reckoner for merchants to guide them through the PCI Compliance issues.
Conclusions:
Credit card data security is vital. Having the most reliable, secure and updated hosting platform for your website is vital.
Knowing exactly what your responsibilities are for PCI compliance is vital i.e. ensure you do not get pressurised into a paid for service that you may not actually need!
While I agree that the banks are unfairly burdening SMEs, and the whole process is somewhat of a farce, if you are going to give advice then I think you should be very precise, as one of my clients has incorrectly cancelled testing based on this.
The use of PCI compliant PSPs does negate the requirement UNLESS you also use them for mail/ telephone order transaction (MOTO) via an online virtual terminal. This does not require a website scan, but does require a quarterly scan of any internet connection creating online virtual terminal transactions.
Alan, we are glad you agree with the key point of this article; the unfair treatment of SME’s from the banking sector in regards to PCI compliance.
In this article we aimed to be explicit as possible with the “PCI compliance sense check” which clearly highlights links to resources which further clarifies the responsibilities for both online transactions AND MOTO transactions. We highlighted an issue which we had direct experience of with several of our customers. We want people to be aware of the issues surrounding PCI compliance, to know the facts and also be aware of the negative marketing that surrounds security scanning services.
I thank you for your comment. We have taken this on board and subsequently amended the article slightly to further emphasise that security scans may be required in some situations, specifically MOTO transactions.