New online shop? You need to comply with the PCI DSS, but what is it?

If you’re starting a new business that sells products or services – whether gardening equipment, yoga classes or novelty cravats – then it’s almost guaranteed that you’re going to have an online shop.

It’s sensible, it’s logical and, after all, online retail is big business.

Data from the Centre for Retail Research (Online Retailing: Britain, Europe, US and Canada 2015) states that in 2014, online retail sales in the UK grew 15.8% to a whopping £44 billon. In 2015, growth is expected to hit around 16.2%, bringing the total to around £52 billion. This is even more impressive when you consider that tickets, holidays, insurance and gambling are not included in these figures.

Every week, countless new online shops – for all manner of products and services – pop up.
If you are a new business with an online shop there are many things you need to consider: jazzy buttons, catchy text, navigation, ‘do I need more pictures of kittens playing with my products?’

One thing that you may have heard of but are not quite sure about is the PCI DSS. You may have never heard of it and just think I’ve written a bunch of random letters. So, let’s discover what it is, why you need it and where on earth you start.

What is the PCI DSS?

The Payment Card Industry Data Security Standard (or PCI DSS) is a worldwide security standard, applicable to any organisation which stores, transmits or processes cardholder data.

In simple terms, it’s a security standard designed to help protect cardholders’ data and reduce card fraud. If you accept credit and debit cards (which, as an online shop, you presumably do) then you need to comply with it. To a business, it’s similar to other requirements such as data protection and employment law, but you are not legally required to comply.

Why should we comply with the PCI DSS?

Imagine walking into Woolworths … I think it’s safe to use them as an example as they’re no longer with us (in the UK at least) – where do you get pick ‘n’ mix from these days? (The cinema is the answer.) Imagine walking into Woolworths and buying a bunch of CD singles. You go to the checkout and give the cashier your card and, as the card machine wasn’t working, they write all the details down on a notepad and give you a receipt. What happens to those card details?

For those of you asking Wool… who? Imagine you just bought a new pair of trainers from a new online sports shop, Sportyrunners.com. What happens when you enter your card details? How do they store them? In the order confirmation they include your card details, and in the packing slip when the trainers arrive. Is this good security practice?

This is why the PCI DSS was introduced – to create a best-practice approach to handling card data.

But it’s not a legal requirement, Kev

Well, that’s true. But your merchant service provider – that’s whoever processes your card transactions – will insist on PCI compliance. If you’re not compliant then they can withdraw your merchant account, meaning you can’t take card payments.

I’m using a third-party payment gateway; surely PCI doesn’t apply to me?

Good question. In the case of third-party payment gateways, customers do not actually enter their card details into your website. Instead, they are taken to a gateway such as PayPal.

You still need to be PCI-compliant, however. There are various levels of PCI compliance depending on a multitude of factors including the volume of transactions you process and how you process payments.

Additionally, the PCI DSS applies to all people, processes and technologies that are involved in the “processing, transmission or storage of cardholder data”. It’s not just your systems, but also paper records (think receipts and mail order forms), orders taken over the phone and even cardholder data read out to call centre operators.

This all sounds very complicated. I need a lie down

If you have a nap now, will you sleep tonight?

Don’t worry, we can help. IT Governance has helped hundreds of businesses to achieve PCI DSS compliance – businesses of all sizes and sectors, and with differing requirements. We offer cost-effective solutions that help businesses find the fastest way to achieve compliance.

What’s more, we speak business, not technology.

A great starting point would be our PCI DSS – A Pocket Guide, it’s a snip at less than a tenner and explains the fundamental concepts of the PCI DSS, and will help you start to plan how you can achieve compliance.

If you’d like to speak to one of our experts, then we’d love to hear from you. Call us today on 0845 070 170 50 to discuss how we can help.