PCI Compliance for Mobile and eCommerce Payments
Payments taken with a card reader and eCommerce transactions account for a significant portion of payments these days. With mobile POS, you get paid on-the-go, any time, anywhere. Time spent chasing checks and managing receivables is reduced when payments are processed on the spot.
This process can make payments more convenient but are you aware of the Compliance you should be following for mobile point of sales and Ecommerce payments?
This blog post will help to explain.
You may choose to start an online shop for a number of reasons. Online stores are open 24/7, have a global customer base, and require less overheads. However when it comes to PCI compliance no business is exempt: every merchant, regardless of size or industry, that comes into contact with sensitive card information needs to be PCI-compliant.
PCI DSS (Payment Card Industry Data Security Standard) was founded by the five major credit card companies, Visa, MasterCard, Amex, Discover, and JCB, and is now maintained by the PCI Council. It sets out 12 requirements that ensure a safe environment to process card payments and reduce fraud. At the beginning of last year, the requirements were updated. Failure to comply and you run the risk of penalties, fines, account termination, and loss of customer trust.
Along with the growth of credit and debit payments comes an increase in technology crimes, resulting in a need for stricter security standards in card processing. Compliance requires that no card information be read or stored on merchant systems – whether mobile POS, eCommerce, or another payment method.
To be PCI-compliant with mobile POS, you should:
- Ensure validated point-to-point encryption (P2PE). With P2PE, encryption occurs in the card reader before any information enters a mobile device so your phone never sees decrypted data.
- Restrict access to a business need-to-know.
- Use password-protected apps.
- Download only trusted apps from the App Store.
- Use true end-to-end encryption that encrypts immediately after swipe.
- Protect your mobile devices from theft and unauthorized use.
- Install anti-virus programs to prevent hacking and malware.
- Complete a P2PE self-assessment questionnaire as part of your annual PCI validation.
To be PCI-compliant with eCommerce transactions, you should:
- Get an SSL (secure sockets layer) certificate to encrypt customer payment data until it is passed along to the processor.
- Fill out an SAQ (self-assessment questionnaire). This may be the minimum requirement for some eCommerce cases.
- Get an ASV (Approved Scanning Vendor) to consistently check (every quarter) for website and server vulnerability.
- Ensure your website is scanned and audited by a QSA (qualified security assessor).
- Support Verified by Visa and MasterCard SecureCode for checkout.
- Set up a firewall to protect payment card data from the public network
- Set up a WAF (web application firewall) to shield the site from third parties.
- Regularly update anti-virus software, software security, and firewall.
- Monitor and record access to the network and cardholder data.
Make PCI Compliance easy by partnering with a payment processor
To ensure PCI compliance on your own is a time-consuming and costly commitment. A PCI-compliant payment processor can reduce your scope by:
- Providing an open payment API that’s secure and PCI-compliant.
- Ensuring that sensitive card data never touches your servers.
- Supplying you with PCI-compliant tools, from hosting to processing payments.
- Making sure non-pertinent information is not stored so you don’t have to worry about encrypting the data.
- Meeting industry standards for encrypting hardware to best protect your payment data.
- Identifying key areas of weakened security and suggest products that will help decrease the risk of fraud.
- Ensuring that access to networks are strictly monitored with entry and usage log reviews on a regular basis.
Safe online payments
PCI Compliance is an ongoing part of your business, not a one-time deal. Constant security checks are required to ensure that risks are identified and fixed. Protecting payment card data is mandatory and keeps the payment ecosystem healthy. Even if you decide to go with a payment processor, it’s good practice to consistently check that they’re remaining PCI-compliant.
At Adeo Group, we have experience in integrating websites with Sage Pay (who have the highest level, Level 1 of PCI DSS certification) allowing you to integrate your e-commerce processes with back office systems to save time and resources as well as running costs.
For more information about PCI Compliance, or if you are looking to build an Ecommerce website, or integrate with Sage Pay please contact Adeo Group web design Glasgow, London, Newcastle & Dubai: firstname.lastname@example.org
About the author
Kalle Radage is the President and Chief Product Officer of Payfirma and held leadership roles in product development, marketing, and business development at Nokia, Oracle, and Sabela Media. Payfirma’s secure and simple payment solutions make it easy for merchants to get paid any way their customers want to buy: online, in-store, or on the move.