• Tweet

• Tweet

Online security has become more important than ever – identity theft is on the rise and serves as a huge liability for your business. But what’s the difference between PCI compliance and PCI/CISP certification? Why is it important? Find out now.

Last Friday we talked about ways to reduce the number of abandoned carts from your site. One of the reasons for people ditching their purchase is security concerns. Several of your customers still aren’t comfortable sending their credit card information over the information superhighway. So what can you do to give them peace of mind and the extra push to purchase? Remind them that you’ve done all the work to keep their information safe. The best and only way to do so is to make sure your provider is PCI/CISP certified. In other words, if you aren’t working with someone on Visa’s list of approved providers, you’re running a major risk. Volusion has made it a major priority to reach this standard – we’re leading the industry in included security measures.

But what is PCI/CISP?

The Payment Card Industry (PCI) is a joint creation of Visa, MasterCard, Discover and American Express. In response to the growing frequency and severity of credit card and identity theft, this organization created the PCI Data Security Standard (PCI DSS), with the overall goal of protecting credit card data wherever it may reside.

The Cardholder Information Security Program (CISP) was initiated and mandated by Visa in June 2001 by Visa. In 2004, these requirements were incorporated into the PCI DSS to establish industry wide standards for card security. These standards must be followed by both merchants and providers.
Sources: Visa Cardholder Information Security Program

Why is this important?

Identity theft is a major issue that is growing exponentially. The FTC estimates that approximately nine million Americans have their identity stolen each year, a crime amounting to $45 billion. In September 2009, one hacker pleaded guilty to stealing over 170 million credit card and debit card numbers, the largest identity theft case in US history.

Exceeding PCI standards is critical for anyone doing business online, including the merchant and the customer. For the merchant, the penalties can include:

• $500,000 in fines (per incident)
• Complete loss of ability to process card transactions
• Class-actions lawsuits
• $10,000 in monthly fines
• Major public relations crises

For the customer, credit card and/or identity theft is devastating. Dozens of calls must be made, dozens of forms must be filled and credit can be ruined. More important to your business, your customer has a new sense of mistrust that makes them afraid to purchase with you online.
Sources: Federal Trade Commission, Washington Post, Javelin Strategy and Research

What’s the difference between compliance and certification? (A lot.)

PCI/CISP compliance indicates that a merchant simply follows the PCI DSS guidelines. This means there is a wide spectrum of security measures that would qualify a business as compliant. Also, compliance is only measured once a year, so rapid-spreading malware and hacking innovations are not always addressed. In sum, there is a lack of accountability with compliance and it is no longer stringent enough to protect your most valuable asset – your business.

PCI/CISP certification, on the other hand, is a higher degree of guaranteed security. In order to be certified, a provider must make major investments in their servers and hardware to meet higher security standards. When this has taken place, there is a rigorous screening process to be listed on Visa’s certification list. Additionally, PCI/CISP certified companies are required to have an independent auditor come to their physical location to thoroughly inspect the security implementation.

The vast majority of shopping cart solutions has not reached the level of PCI/CISP certification.

Merchants using these non-certified solutions face the greatest amount of risk because it is easier for hackers to access sensitive customer information. Most of these providers are unable to achieve certification because of the following:

• They do not have the necessary capital to complete certification requirements
• They are not knowledgeable enough to configure and code certification requirements
• They do not meet Visa’s minimum company size requirements

Check the status of your provider on Visa’s list here. If they are not listed, your business is not adequately secured.

“PCI Certification is essential for any online business at this point in the game. We decided to invest millions to beef up our security infrastructure because we had to. The risk far outweighed the investment for us and our clients.”
-Clay Olivier, Volusion COO

What do I need to do to remain certified?

PCI/CISP certified solutions have completed the overwhelming majority of the work; however there are still measures that must be taken from the business level. In order to be fully certified at the merchant level, your team must do the following:

1. Select a PCI/CISP certified solution.
2. Complete the Self Assessment Questionnaire (SAQ) once a year.The SAQ is a list of questions about your website and current security practices.
3. Complete a vulnerability scan through an approved scanning vendor (ASV) periodically throughout the year. Then, provide documentation that your site passed the scan.

You can find the SAQ and list of ASVs online at: https://www.pcisecuritystandards.org/.
Sources: PCI Security Standards Council

Where do you fit on the security spectrum? Have you talked to your provider about their security standards and its direction? These are critical questions that must be answered correctly in order to protect you and your customers from those who are out to take advantage of vulnerable websites. Consider PCI/CISP certification the ultimate insurance policy for your online business.

-Matt Winn, Marketing Associate

Follow us!