How Does your payment service provider tackle PCI compliance?
The Payment Card Industry Data Security Standard (PCI DSS) encompasses any business that takes payment via credit card, regardless of their size or industry, so it’s vital that you understand what protection your payment provider is offering and what they’re expecting you to tackle on your own.
While some providers may charge security and compliance as an additional service, most of us would expect that these come as part of your monthly fees, right? After all, they are the ones selling you the service, so should security and compliance not therefore be part and parcel of that service? Unfortunately, this isn’t always the case and it’s becoming more and more evident that some payment companies are profiting from this rather than helping you achieve the goal you set out to achieve when acquiring their services – growing your business.
Determining your PCI Compliance requirements
Regardless of whether you are a service provider, online retailer or brick and mortar store, the level of compliance for your business needs to be considered before you can truly understand what your requirements are and whether the additional costs are justified. If you’re handling, processing or storing cardholder data you will be required to meet compliance guidelines depending on how you process the payments.
The PCI Security Standards Council created 4 simple Self-Assessment Questionnaires (A, B, C & D) to help businesses validate the level of compliance they require, relating to whether your business does or does not handle, process or store credit card data. For instance, if your business takes credit cards via a hosted payment page like that offered via Latpay, you would only be required to complete SAQ A.
If, however, you take credit card payment and then store their information for quick future purchases, you’ll be required to complete SAQ D – the longest of the 4 containing around 250 PCI DSS requirements to adhere to.
To help you determine whether your provider is offering the services required by your business, let’s take a look at the top 5 things to look out for when acquiring a payment service provider:
Level 1 PCI Compliance
PCI compliance requirements change dependent on the size of your organisation and how many card transactions your process annually. Regardless of your business specifics, you should hope that your service provider is PCI DSS Level 1 certified, the highest possible level of compliance that can be achieved. This means that the responsibility of dealing with PCI can be shared with your provider, rather than worrying about it yourself in-house. It also gives you peace of mind that their systems consistently adhere to stringent guidelines associated with accepting, processing, storing and transmitting card information.
Secure Cloud Hosting
It’s fairly common knowledge that you shouldn’t be storing any credit card information to your website. For this reason, secure cloud hosting is one of the most infallible ways to securely house information away from your site, so make sure to check with your payment provider what methods they’re using for hosting. While you may have doubts about the security of storing sensitive data in the cloud, in reality it’s far more secure than physical system storage due to cloud providers’ dedication to the latest and greatest in security technology. Using global data centres with the highest standards for security and data privacy on the market, secure cloud hosting is reliable and resilient against a range of risks and threats and should definitely be included in your payment service provider SLA.
Secure Hosted Payment Page
If your business offers a hosted payment page for your customers, ensuring that page is secure is absolutely critical. This is due to the fact that all data sent over the internet is passed through any computer sitting between you and the end server, including credit card information. To mitigate the risk of a data breach, your payment provider should protect the page by encrypting this data with a Secure Socket Layer (SSL) certificate, allowing for a secure connection between device and server. Going the extra mile, your payment provider should be able to offer data tokenisation so that a customer need not re-enter their details each time they purchase online.
Data tokenisation is one of the most critical ways to safeguard your sensitive customer data and should be a must-have for your payment service provider.
Similar to the more commonly known process of encryption, tokenisation transforms important data like credit card details into a random set of characters that will be essentially useless in the hands of a cybercriminal.
This is due to the fact that, while the token signifies the original data, it uses a completely random method to be generated and therefore cannot be deciphered. Unlike encryption which uses a mathematical algorithm, a token can only be decrypted through what is known as a ‘token vault’ which houses the association between the data and the token. Further increasing information protection for your customers, the data housed in the token vault is then secured by way of encryption. With guaranteed security of any card data stored on servers, a token vault removes the hassle of data storage and enables descoping of customer data within the merchant landscape.
Fraud Management Services
What fraud management services is your current or prospective provider offering in your SLA? One of the very first things a good payment provider will do is conduct a tailored risk assessment based on your level of acceptable risk to determine how stringent your processes ought to be. As a standard, you should expect that every transaction is verified by a secure fraud management engine. You should also expect that there be some form of real-time fraud mitigation processes in place, complimented by a dedicated fraud management team to share information with you on fraudulent data and potential risks, as well as offline human analysis for increased comprehensive data security.
What should you do if your service provider isn’t making the cut?
If you find that your payment service provider isn’t offering you the highest levels of data security and PCI compliance, or is doing so at an additional cost, it’s time to start shopping around because you’re paying over the odds..
As a leading Payment and Merchant Service Provider in Australia, UK and Canada since 2001, Latpay offer superior fraud management capabilities and data tokenisation services to online businesses around the world.
With industry-leading technology, exceptional Level 1 PCI compliance and fraud management proficiencies, Latpay are proud to provide a truly complete payment solution to conventional and bespoke e-Commerce ventures for companies of all shapes and sizes.
Talk to us on +61 7 5502 6686 to see how we can alleviate the hassles of security and compliance, so you can get back to what you do best.