Ecommerce PCI Compliance vs. Brick and Mortar
The Differences Between Ecommerce PCI Compliance and Brick-and-Mortar PCI
There's little arguing how important it is for small businesses to become Payment Card Industry Data Security Standard compliant. The PCI Security Standards Council set the PCI Security Standards to serve as guidelines for merchants to abide by, ensuring companies that process, store or transmit credit card information maintain a secure network and safeguard against any potential breaches.
In short, PCI applies to any business that accepts or transmits a card transaction of any type and stores cardholder data, according to the PCI Security Standard Council's website. As if the threat of a potential breach isn't enough to scare merchants into PCI compliance, the financial penalty businesses face for not complying is steep. Payment brands may fine non-compliant acquiring banks anywhere between $5,000 and $100,000 per month for PCI compliance violations, most of which will likely flow downstream until it hits the merchant. (1).
There are multiple levels of PCI compliance, but most small businesses are likely in the merchant level 3 or merchant level 4 tier, serving either 20,000 to 1 million customers on an annual basis or fewer than 20,000 customers. That said, there are a few differences between brick-and-mortar compliance and PCI compliance for ecommerce websites. Here are a few things to keep in mind for both in-store PCI compliance and ecommerce PCI compliance:
Brick-and-mortar PCI compliance
In-store transactions generally represent a large portion of a small businesses quarterly and annual income. Given that, they need to ensure that all of their customers' information is safely protected and securely stored in their network during a transaction. The point of sale is one of the more important aspects of a small-business operation, so it makes sense that businesses should invest in protecting this critical component of their infrastructure.
Protecting the customer at the point of sale is vital to a small business's success. A business that fails to do so is liable for the data breach and may be financially responsible for all damages. The point of sale is where consumers make transactions and payment information temporarily flows through. If a company stores sensitive customer data on site, it needs to make sure its servers are heavily protected with robust firewalls. If they outsource data storage to a cloud-service provider, they share the burden with the third party who also holds some responsibility in maintaining security.
In-store POS infrastructure is the most important piece of in-store because it's a primary target for hackers to attack. A recent report conducted by security software firm Trustwave found one-third of its investigations in 2013 were at the point of sale. (2). Brick-and-mortar PCI compliance is heavily predicated on securing an in-store network and a POS infrastructure.
Ecommerce PCI compliance
PCI compliance for online retail sites is not so different than brick-and-mortar compliance in that it is aimed at protecting customer information. The main difference is that the point of sale online is electronic, as opposed to a tangible piece of hardware in store. Since the POS varies for these two aspects of transaction, the means of compliance are also slightly different.
Shopping cart software must be protected, and the online payment portal must meet PCI requirements as well, demonstrating it has the necessary infrastructure to protect against a breach.
There are a handful of other things to keep in mind as well:
- A managed firewall
- Managed antivirus software
- SSL certificates
- Two-factor authentication
- Threat management
Both ecommerce companies and brick-and-mortar businesses must partner with a third party that's PCI compliant if they don't want to face possible financial penalties and the constant threat of a breach.
1. PCI Security Standards Council, https://www.pcisecuritystandards.org/hardware_software/ (2015)
2. Trustwave, https://www2.trustwave.com/rs/trustwave/images/2014_Trustwave_Global_Security_Report.pdf (2014)
Get An eBook All-Access-Pass
- eBook About POS
- Grow Your Business Guide
- Improve Your Business
- 5 Steps Secure Your Business
Subscribe to our blog and get an all access pass to our past, present, and future eBooks for FREE.
At Your Fingertips
It's a big job to buy the perfect POS System. This is a robust guide to get you equipped to ask all the right questions to potential providers.
With this FREE service we can point you in the direction to providers who can meet your needs, and potentially exceed your expectations.