Many businesses, particularly in the eCommerce sector, are facing with the harsh reality that cybersecurity can no longer be deprioritized.
Cybercrime is more lucrative than ever. Conservative estimates project that cybercrime created in $1.5 trillion in profits over the course of 2018 and will cost businesses a $6 trillion annually by 2021.
Between 2013 and 2014, 3 billion Yahoo users had their personal information compromised by cybercriminals. In 2018, UnderArmor, Quora and Marriot suffered data breaches that compromised data of approximately 780 million individuals. But these types of statistics do not account for the 43 percent of cyberattacks targeting small businesses.
Having a robust cybersecurity infrastructure is more important than ever before. One easy way eCommerce businesses can strengthen their cybersecurity infrastructure is by ensuring that they remain PCI-compliant.
Understanding PCI compliance
There are two acronyms that sit at the heart of PCI-compliance: PCI DSS and CHD. PCI DSS stands for the Payment Card Industry Data Security Standards. The PCI DSS council is formed by the credit card brands Visa, MasterCard, American Express, Discover, and JCB and exists to dictate standards and regulations for how enterprises handle cardholder data, or CHD.
The PCI DSS is applicable to any organization that accepts, transmits, or stores CHD. Organizations of different sizes must meet different requirements in order to be classified as PCI-compliant.
For example, any organization that processes more than six million transactions per year should go to greater lengths to secure consumer data than a business that processes fewer than 20,000 transactions per year to remain PCI compliant.
PCI compliance benefits and imperatives
According to Verizon’s 2017 PCI DSS Compliance Report, PCI DSS compliance increased by 167 percent since 2012, although 80 percent of organizations were still PCI non-compliant. The organizations that suffered data-breaches were PCI non-compliant.
“There is a clear link between PCI DSS compliance and an organization’s ability to defend itself against cyberattacks,” said Rodolphe Simonett, Verizon’s global managing director for security consulting.
PCI compliant enterprises can reap a number of benefits, including increased brand reputation and consumer trust, as well as a greatly improved cybersecurity infrastructure nearly impenetrable to data breaches.
For eCommerce enterprises, PCI compliance should be a bare minimum standard for cybersecurity best practices.
PCI-compliance checklists generally require that merchants follow 11 cybersecurity protocols:
- An updated firewall placed between payment card data and the public network
- Vendor-supplied default passwords not used for network or payment-processing equipment
- CHD stored with a third party with sufficiently strong encryption
- Anti-virus software deployed and updated regularly
- Securing systems and applications
- Access to business data restricted on a need-to-know basis
- Giving each person with access to a business computer possessing a unique ID
- CHD not physically accessible
- All access to network and CHD resources constantly monitored
- Security systems and processes regularly tested
- A policy addressing information security
The ramifications for eCommerce enterprises not PCI compliant can be intense. Fines ranging from $5,000 to $10,000 per month may be issued to PCI-noncompliant merchants. Banks will likely terminate relationships or increase transaction fees for PCI-noncompliant organizations, in addition to other penalties.
For large organizations, PCI non-compliance can be devastating. For small organizations, PCI non-compliance can be a death sentence.