Why Do Online and Mobile Payments Require PCI Compliance?

Quick Hits: 

• Online and mobile businesses handling sensitive card payment information must comply with PCI. 
• The PCI DSS has 12 security requirements for these businesses to follow. 
• Even though it’s not required by law, entities that fail to comply with PCI DSS requirements face legal, financial, and reputational issues. More importantly, they can lose customers’ trust to protect their card payment data from theft. 

Requirements to Be PCI Compliant 

To achieve PCI compliance, companies must follow the 12 requirements outlined by PCI DSS. These requirements fall under six main categories, which provide an overview of the security controls needed to achieve compliance. Those six categories are:  

1. Build and maintain a secure network and systems. 
2. Maintain protection of cardholder data. 
3. Maintain a vulnerability management program. 
4. Implement strong access control measures. 
5. Regular monitoring of test networks. 
6. Maintain an information security policy  

Online and Mobile Retailers’ Security Requirements 

Any eCommerce website or mobile application that accepts, processes, stores, or transmits credit card data must maintain compliance with Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is a global industry standard for securing cardholder data. This standard is established by the Payment Card Industry Security Standards Council (PCI SSC). PCI SSC is comprised of the five major card brands – American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. Failure to comply with PCI DSS can lead to a host of problems, from compromising cardholders’ sensitive data to being liable for lawsuits and brand reputational damage.   

Online and mobile retailers must develop and operate their websites and applications in a way that complies with PCI DSS for mobile and online payments. These security standards include 12 requirements based on the six categories mentioned above:  

1. Install and maintain a firewall configuration aimed to protect cardholder data. 
2. Don’t use vendor-supplied defaults for system passwords and other security parameters. 
3. Protect stored cardholder data. 
4. Encrypt transmission of cardholder data across open, public networks. 
5. Use and regularly update anti-virus software programs. 
6. Develop and maintain secure systems and applications. 
7. Restrict access to cardholder data by business need to know. 
8. Assign a unique ID to every person with access to cardholder data. 
9. Restrict physical access to cardholder data. 
10. Track and monitor all access to network resources and cardholder data. 
11. Regularly test security systems and processes. 
12. Maintain an information security policy. 

Consequences of Not Being Compliant 

If a merchant is not PCI compliant, this can open the door for severe financial and legal troubles. For example, a non-compliant merchant can be fined up to $500,000 per incident of stolen cardholder data. Additionally, businesses can be penalized and have their ability to accept credit card payments from major card brands revoked. Without being able to accept card payments, this can cripple an eCommerce website or mobile app. Indeed, these results can be devastating, particularly since 80 percent of online security attacks target small businesses that may lack the internal resources to handle these attacks swiftly and efficiently. Data breaches impact non-compliant merchants involved with a PCI payment gateway, which can permanently put these entities out of business.  

Final Points 

In 2021, 82 percent of U.S. citizens used digital payments, including browser-based or in-app mobile purchases, in-store checkout via a mobile phone or QR code, and person-to-person (P2P) payments. This statistic will continue to grow due to the convenience and ease of these online and mobile payment methods. Not only should merchants offer these payment options, but these entities must protect their customers’ payment information, use a secure payment gateway, maintain PCI compliance online, and always treat sensitive data as confidential.  

If you want to learn more about payment security, consider payment tokenization through a reputable cloud tokenization provider. Payment tokenization is a security solution that replaces sensitive payment data with randomly generated sets of numbers called tokens. Online and mobile payment data includes credit and debit card numbers, bank account numbers, data from mobile wallets, names, addresses, etc. Tokens do not contain sensitive details that could be compromised due to a cyberattack. These tokens usually consist of 13 to 19 alphanumeric characters and can be stored and accessed in a company’s internal environment, while the original data is stored in a secure external environment. Even if a breach impacts a business, its customers’ payment data will not be compromised due to payment tokenization. This solution can help companies maintain compliance, protect cardholder data, and avoid legal nightmares.