Compliance with the Payment Card Industry Data Security Standard (PCI DSS) has often suffered in the past from a lack of understanding about its aims and benefits. That said, awareness and compliance levels among large tier one and two merchants is pretty good these days. Unfortunately, the same is not true of their smaller counterparts.
Many level four retailers just can't see what PCI compliance adds to their business. They view it as a pointless exercise that drains time and resources, often in extremely short supply among small businesses. Taken at face value it might appear onerous in the extreme – a wasteful bit of red tape that is better off left to the big high street brands to worry about. But let's think this through. PCI wasn't actually set up by the card schemes to benefit the retailers at all, it's there to protect card carrying customers.
PCI DSS is actually pretty similar to the way a Basic Food Hygiene certificate works – not to benefit the individual food outlet but to protect the health of its customers. Basic Food Hygiene and PCI are built on similar foundations; they aim to make the business more aware that actions they take or don't take could endanger their customers in some way. By raising this kind of awareness they seek to make the outlets operate more safely. So instead of guidelines on food preparation and storage, think procedures around the handling and storage of card data.
This isn't to say a compliant business will never suffer a data breach – just as it isn't to say a customer will never catch food poisoning from a restaurant with a Basic Food Hygiene certificate. But being aware of sound business practices and adhering to these every day will in the long term protect the health of the business – and that has to be a good thing.
Most reputable food outlets have gone further to champion their Basic Food Hygiene status. Some prominently display framed certificates of all the staff that have attained the required level, in an attempt to differentiate themselves from their nearest competitors. Why not do the same with a PCI compliance certificate showing your latest Primary Account Number (PAN) scan results? In this way customers can learn to differentiate and select businesses where they feel safest spending.
In fact, consumers are already getting increasingly savvy when it comes to online shopping. Payments revolve around trust – especially card transactions – and shoppers can be suspicious if a site doesn't look authentic or reputable. It's why many like to see hosted payment pages powered by larger providers – they feel reassured that their card data is being handled by a “reputable” service provider. Gaining PCI compliance and notifying customers with a prominent display on your site is a great way to gain their trust, whilst driving potential extra revenue.
What's more, PCI compliant merchants are less susceptible to fraud – WorldPay has noticed fewer chargebacks on these businesses – because their security is tighter and they are more familiar with how the payment system works. Without dwelling on the negatives – that acquirers may pass on fines received from the Card Schemes as a result of any account data compromise in your business – think of all the positives that can come from PCI DSS implementation. Less fraud means less time and money spent on cleaning up after a card data breach – letting you focus on what you do best, running your business and maximising profitability.
Every payment service provider and acquiring bank will have a dedicated team and web resources devoted to walking you through each step of the compliance journey. So do right by your customers and your business and take a look today.
Contributed by Tim Lansdale, Head of Payment Security at WorldPay