5 Themes for small e-commerce businesses in 2013 – Theme 4 – PCI Compliance

In the fourth blog in the series of 5 we examine the fourth theme from the Sagepay report on e-Commerce for 2013, PCI Compliance

For 2013 five themes were identified that small e-businesses should be focusing on right now. These are

  1. Social
  2. Mobile
  3. Fraud
  4. PCI Compliance
  5. International Trade

Payment Card Industry Data Security Standard (PCI DSS)

Non-compliance could mean the end of your business.Yet a massive 35% of small e-business respondents see PCI DSS as unnecessary and well over half (58%) still don’t fully understand the regulations. But you’re not alone, we’ve seen this issue across the board no matter the size of business.

No matter what size business you are, if you sell goods and accept payment by credit card, you must be PCI DSS compliant. It doesn’t matter whether you’re taking payments in- house (as 14% of this year’s small e-businesses do) or outsourcing it to your payment provider (which accounts for 83% of small e-businesses). In fact, it also applies to the 3% of respondents who didn’t know which they currently did.

This year, 5% of small e-businesses are still failing to comply with the regulations while a further 18% don’t know whether they are compliant or not. Given the high penalties for non-compliance, these are very worrying numbers – almost a quarter of small e-businesses taking part in the benchmark are laying themselves open to significant fines. These often run into tens of thousands of pounds with the ability to do serious damage to your business. And more than this, potential fines are unlimited.

pci and your business – what you need to know

So why do you need to be PCI compliant? Well, it’s important to help prevent customers’ data being stolen by hackers. There is a widespread and very lucrative trade in stolen credit card information and any successful breach of your security would also have an untold negative impact on your reputation.

so what do you need to know?

The Payment Card Industry Data Security Standard (PCI DSS) is a set of best practices that includes, among other things, the requirement to protect data behind firewalls with robust passwords, to encrypt transmission of cardholders’ data, to stay up to date on virus protection and to control who gets to see what.

There are four levels of PCI compliance. The chances are that as a small e-business processing fewer than 20,000 transactions a year, you only need to satisfy the lowest level (level 4) – especially if you outsource to a third party payment service provider such as Sage Pay who is already level 1 certified. Fortunately, this is pretty simple to do and if you’re outsourcing your payments requires little more than completing an annual self-assessment form. If you host your own payment system, you may have to comply with more stringent requirements. And as you grow, the demands become steadily stricter. However, to be clear, although not currently a legal requirement, being PCI compliant is industry best practice to help protect you, your customers and your business.

You can learn more at pcisecuritystandards.org

The 4 levels of Security

Level 1 – Any merchant processing over 6 million card transactions per year (however they accept them). This includes any merchant that the card provider, at its sole discretion, determines should meet the Level 1 merchant requirements.

Level 2 – Any merchant processing between 1 and 6 million card transactions per year.

Level 3 – Any merchant processing between 20,000 and 1 million Card e-commerce transactions per year

Level 4 – Any merchant processing fewer than 20,000 Card e-commerce transactions per year, and all other merchants, regardless of acceptance channel, processing up to 1 million Card transactions per year.

The three threats of Non-Compliance

Your customers are not protected

You face unlimited fines

Your reputation is at risk