What Retailers Need to Know About PCI Compliance - Part 2 of 2

Visit Website View Our Posts

In part one of our article on how retailers and merchants can achieve PCI Compliance, we reviewed what it means to be compliant and the questions to ask when evaluating payment processing solutions for compliance.


When merchants begin evaluating their options for credit card payment processing, the next questions they typically ask are “how do I know if my payment software is compliant?” and “how can I ensure that I stay compliant?”

To learn more, access our OnDemand webinar:

Avoid a Credit Card Data Breach with PCI Compliance” - view it here.


The best method for ensuring that your payment processing software is, in fact, compliant is to look for an application that is PCI Validated. PCI Validated is a higher standard than your software vendor simply saying that they are compliant. Validation means that the application has been independently reviewed and verified for compliance by a QSA (Qualified Security Assessor) from the PCI Security Standards Council.


The Council publishes and frequently updates the full list of validated solutions that can be found by clicking here. The guidance for merchants from the council on this site is very clear: “The Council urges merchants to use approved payment applications in their payment environments.”


In addition to the council’s list, the major card brands, such as Visa and Mastercard, also publish lists of PCI-validated solutions on their websites. You can ask your software vendor to provide links to these sites to demonstrate that their software has been validated.


If your payments software is not on this list, it is now your responsibility, as the merchant, to ensure that the application is compliant and you should have it assessed by a third party to ensure that it meets the compliance standards.


Once you have your payments application in place, the next step is to ensure that your software provider communicates that they are maintaining their validation on an ongoing basis, both for existing and new versions of their software. If your software vendor is committed to compliance, that’s one less thing you need to worry about as a business owner.


After you’ve selected your payment application, you need to review your IT infrastructure. As a merchant who accepts credit cards, it is also your responsibility to ensure that your infrastructure is secure with the appropriate firewalls, antivirus programs, and password policies in place.


If you decide to host your payment application with a third party, their data center should be PCI compliant. For example, Microsoft has announced that their cloud data centers that run Microsoft Azure are validated as a Level 1 Services Provider by the PCI Security Standards Council. A Level 1 provider is one that manages the highest volume of credit card transactions – more than 6 million per year. You can review Microsoft’s compliance statement by clicking here.


Using validated software and third-party infrastructure reduces your cost of getting and staying compliant. More importantly, it also reduces your liability risk in the unfortunate situation that a data breach does occur. If your data is compromised and you are not PCI Compliant, you can be fined by the card companies or your bank that provides your merchant account. You may also lose the ability to maintain your merchant account and accept credit card payments.


As more and more significant data breaches by some of the world’s largest companies make front page news, C-level executives and boards are increasingly “on the hook” to ensure that they are adequately protecting their customer’s credit cards and personal data from malicious attack and fraud. The resulting legal issues are a challenge for these companies, but the damage to their reputation can be even greater if consumers learn that the company did not take the appropriate measures to protect their personal information.


The risks are high whether you are a global business or a small retailer. You can protect your business by taking compliance seriously and making the best possible effort to get and stay compliant. Using PCI validated solutions is the best and the least expensive path to achieving this goal.


Western Computer and ChargeLogic have helped many Retailers and other Merchants get a head start on PCI Compliance.

To learn more, contact Western Computer today or view an OnDemand webinar about PCI compliance.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Show Buttons
Hide Buttons