Anytime you’re listening to a conversation about tying credit card processing to online registration, you’ll hear a lot of lingo thrown around, such as encryption, merchant services, gateways, etc. You’re also likely to hear about Payment Card Industry (PCI) compliance. Like so many things related to credit card processing, however, it may not be clear what PCI compliance means.
PCI compliance goes back several years to when the major credit card brands—Amex, Visa, MasterCard (MC), Discover and JCB International—had their own guidelines for ensuring payment card security. Because the card companies had similar standards, they said, “Hey, why don’t we quit driving everyone crazy and come with one standard for all?” And thus was formed the PCI (Payment Card Industry) Security Standards Council.
The council then created the PCI Data Security Standard (PCI DSS) which is a uniform framework for preventing, detecting and reacting to payment card security breaches and fraud. If a company, such as an online registration software provider, is PCI compliant, that means they meet the PCI DSS standards. Compliance is not mandatory, but companies that are not PCI compliant are subject to fines by the payment card brands.
To become PCI compliant, an online registration provider has to be vetted by a third-party company—called a Qualified Security Assessor—which has been approved by the PCI Security Standards Council. Each year, the QSA reviews the company’s security procedures to determine if the company has met the PCI DSS standards. Part of the process is to scan the provider’s online presence for any security breaches.
Some observers believe PCI security standards don’t go far enough, while other critics say it’s simply a way to generate more revenue for Visa, MC and the other card brands. If a company is PCI compliant, it doesn’t mean payment card information is 100% secure. There is no such thing. However, Visa has claimed that no PCI compliant provider had ever been breached. Even so, the PCI DSS is fluid, and its standards have increased since its inception several years ago.If you plan to take credit card payments online, your online registration software provider should already be PCI-compliant. If you’re not sure, ask.