December 9, 2013, 5:11 PM

What e-retailers should know about PCI compliance

New PCI rules take effect Jan. 1, 2014. They include requirements designed to ensure that mobile devices used to take payments are secure.

With Cyber Monday 2013 come and gone, many companies like online retailer have set new sales records—again. Sales for that retailer as of 10 a.m. on Cyber Monday were up 39% compared to 2012. Their overall Wednesday to Saturday online sales jumped 26% this year as well

Any successful retailer in the 21st century must be aware of success of online and mobile commerce. More and more people are shopping with their smartphones and tablets—18 percent of total online sales according to IBM—and the numbers are expected to skyrocket over the next few years. Various research studies predict mobile e-commerce to triple or even quadruple by 2015.

So what does this all mean for your business?

No matter who you are or what you sell, if you want to accept online or mobile payments you must adhere to The Payment Card Industry (PCI) Security Standards Council. The PCI Security Standards Council is “responsible for the development, management, education and awareness of the PCI Data Security Standard (PCI DSS) and other standards that increase payment data security.” The five founding global payment brands (AMEX, Discover Financial Services, MasterCard Worldwide, Visa Inc. and JBC International) all incorporate the PCI DSS as their data security technical requirements.

One major event that has impacted the e-commerce world is the release of PCI 3.0 in November 2013. The update is intended to make PCI compliance more of an elongated process rather than a single report on a specific date. PCI 3.0 goes into effect January 1, 2014, but PCI 2.0 remains active until December 31, 2014 to allow time for adaptation.  

The PCI Council released this statement regarding the announcement: “Version 3.0 will help organizations make payment security part of their business-as-usual activities by introducing more flexibility, and an increased focus on education, awareness and security as a shared responsibility. Overall updates include specific recommendations for making PCI DSS part of everyday business processes and best practices for maintaining ongoing PCI DSS compliance; guidance from the Navigating PCI DSS Guide built in to the standard; and enhanced testing procedures to clarify the level of validation expected for each requirement.”

Data for the update was compiled from feedback from hundreds of companies and stakeholders. According to this real-world input, the common challenge areas for change included:

  • Lack of education and awareness
  • Weak passwords, authenticatio
  • Third-party security challenges
  • Slow self-detection, malware
  • Inconsistency in assessments

Another recent and important PCI security standard topic is the new guidance for merchants on mobile payment acceptance security. Tablet and smartphone swipers have begun to show up everywhere from food trucks to taxis. Both the merchant and the consumer prefer the convenience and reliability, but how is the card data being protected?

According to a PCI press release on the subject, the new guidance addresses the issue of the smartphone, tablet or PDA being more than a point-of-service (POS) tool. These devices will most likely be used for additional business purposes as well, meaning the download and use of other applications could provide access to account data stored on the mobile device. The new guidance is meant to educate merchants on the proper measures to isolate and shield sensitive data from exposure.

Troy Leach, chief technology officer of the PCI Security Standards Council noted that “it is challenging to demonstrate a high level of confidence in the security of sensitive financial data in devices that were designed for other consumer purposes. Which is why we encourage merchants to consider encrypting cardholder data securely prior to using mobile devices to process transactions.”

Security issues will be an ongoing battle as long as cyber crooks use their knowledge for criminal purposes. While some merchants view the PCI Security Standards Council as demanding and unreasonable, the safety of the consumer’s financial data will always be a #1 priority. After all, if consumers stop trusting online and mobile transactions, they will simply stop buying products online or with swipers. Your best bet is to remain educated on all the latest PCI updates and comply with the regulations to keep your business in good standing with the Council and your clientele.


Kristen Gramigna is chief marketing officer for BluePay, a provider of e-commerce payment processing. She brings more than 15 years of experience in the bankcard industry in direct sales, sales management, and marketing to the company and also serves on its board of directors. Based in Naperville, IL, Bluepay has offices in New York, Chicago and Vancouver, and sales representatives around the U.S.


comments powered by Disqus


Recent Posts from this Blog


J.T. Compeau / E-Commerce

How Walmart is getting its Oscars debut right

Consumers talking about the Oscars on social media are also engaging with Wal-Mart, data shows.


Mike Cassidy / E-Commerce

5 e-retail planning tips for holiday 2017

Monday’s turn out to be prime shopping days during the holiday season.


Anna Johansson / E-Commerce

Why is social proof big for niche brands?

A small online retailer that lacks brand recognition can get a big boost from high ...


Donn Davis / E-Commerce

Technology takeover: The fashion industry is next

We are now entering the third decade of the Amazon effect, and it is just ...


Research Guides