What Is PCI Compliance? Do I Really Need It?

PCI stands for Payment Card Industry. This is a standard made from American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International on September 7th 2006. This standard contains list of requirements regarding exchange of credit/debit card data. The main purpose is to protect cardholders against misuse of their personal information.

In which case should you be PCI compliant? If you want to start accepting payments directly on your website without using a third party payment gateway you should buy PCI scanning software. You can have serious problems if you decide to proceed without that. If your website is hacked and credit card data is stolen, the credit card issuer will start an investigation. If they discover that you accepted credit/debit card payment on your website without being PCI compliant they can fine you up to $100 000. That’s not the only problem you might have. The banks will also most likely either terminate your relationship or increase transaction fees.

What is PCI compliance software really doing? It scans your website for vulnerabilities and weaknesses in the code. There are different types of PCI scanning products. The basic one is just covering the requirements of the payment card industry to scan your website and send them a report every 3 months. If you want to increase the level of security on your website and guarantee your clients best possible protection you should buy yourself daily scanning product. This will reduce the vulnerability danger to minimum. The daily scanning products are more expensive, but can increase your clients trust significantly and help you business grow faster.

Is the PCI scanning software enough to start accepting online transactions? Not really. The PCI scanning product is just part of the protection you must have in order to start accepting online payments without 3rd party payment gateway. Your website should also have encrypted connection with your customer’s computers. This needs to be done by an SSL certificate. But be careful! Only high assurance certificates are appropriate for securing online transactions. The best way to avoid vulnerability is authentication. The low assurance SSL certificates can’t verify your business. You need a certificate which can identify you as a real business. This will be done by the Extended Validation SSL certificate. It provides verification of your business and together with the PCI scanning software makes it reliable and trusted.