At first glance, it all sounds so simple and straightforward. Back in 2006, the Payment Card Industry (PCI) – the good folks from Visa, MasterCard, American Express and others – came up with a set of rules to ensure that all merchants maintain a secure environment for processing, storing or transmitting credit card information. A merchant is any company that allows customers to pay for products and services via credit card. Just about every news media company is a merchant.
Over the years, as new payment methods like debit cards and ATM cards became more popular, the PCI Data Security Standard (PCI DSS) continued to expand. Plus, as merchants became more vulnerable to data breaches, hacking, skimming and other types of payment card fraud, the PCI DSS rules grew even more stringent. The latest version, PCI DSS 3.0, went into effect at the beginning of this year. In April 2015, a v3.1 update was issued, partially because breaches resulting from the Heartbleed virus exposed certain weaknesses in previously secure data transfer protocols.
In a recent Newscycle Solutions survey of news media executives, only 26% expressed confidence that their companies were fully compliant with the latest PCI DSS requirements. Another 13% said they were not certain of their company’s compliance status. No one denies the absolutely critical importance of protecting customer credit card data. But, the PCI rules are really complicated and they seem to be changing constantly. Busy publishers – like busy executives everywhere – are simply having trouble keeping up.
PCI compliance is a land of shifting sands. As the industry strives to protect consumers by staying one step ahead of the hackers and cyber-attackers, the requirements must invariably evolve. In fact, the newest PCI DSS 3.1 specification includes over 200 compliance rules … 27% more than the 2.0 version.
Shifting sands indeed. And, a healthy bowl of alphabet soup for anyone diving into the PCI standard documentation. AAA, AES, ANSI, AOC, AOV, ASV, and that’s just the first page of the PCI DSS glossary.
The PCI terminology is also confusing and seemingly contradictory. When a business is in-scope, anything that processes, stores or transmits cardholder data is subject to PCI compliance, which makes it potentially easier to fall out of compliance. Out-of-scope, on the other hand, is generally a good thing for a business because there are fewer PCI processes that need to be monitored to ensure they are in compliance.
It’s kind of like explaining the rules of cricket to a baseball fan.
And, it’s enough to make many companies grow complacent in thinking that PCI compliance is as straightforward as conducting a vulnerability scan. Or answering the card providers’ SAQ (self-assessment questionnaire.) Or encrypting credit card information. Or batch-processing credit card payments using secure socket-layer data transfer mechanisms. Or even implementing a tokenization process without a corresponding order page hosted by a payment gateway provider.
The risks and costs associated with PCI complacence are huge. If a merchant suffers a breach or is determined to not be PCI compliant, the associated bank and credit card fines can range from $5,000 to $500,000. VISA, for example, imposes a $50-$90 fine for each cardholder whose data is compromised, regardless of the type of breach. The merchant’s VISA credit card acceptance privileges can also be suspended. On top of this, there’s possible civil litigation from the breached customers.
We live in a litigious world. When data breaches occur, the responsible merchants become prime targets for legal action, especially those who have not followed the PCI standards. Over ten years ago, TJX paid over $40 million for a data breach that affected more than 100 million credit cards. More recently, the breach that exposed Target’s 110 million credit and debit card customers cost the company well over $100 million in legal expenses.
Then there’s the indirect costs. Target, TJX and other retailers suffered a serious loss in reputation, trust and customer loyalty resulting from their data breaches. For media companies – which rely as heavily as any business on credibility, trust, local reputation, and the loyalty of readers and advertisers – the brand damage costs could prove fatal.
An in-depth March 2015 PCI Compliance study by Verizon found that 80% of businesses fail their first PCI compliance assessment. Furthermore, only 29% of companies remain fully compliant less than a year after being awarded their PCI compliance certificate. Even scarier, almost 70% of consumers say they are less inclined to do business with an organisation that has been breached.
So, what is the best advice for publishers and media executives looking to ensure the complete integrity of their customer’s payment data through PCI compliance?
We asked Bob Larson, Newscycle Product Marketing Manager and longtime newspaper industry circulation and digital payment expert. “Publishers must take steps to make their processes free of credit cards altogether,” says Larson. “There is no need for complex encrypting of credit card data because a media company can operate without ever touching, storing or transmitting a credit card within its payment process.”
This advice touches on the whole in-scope, out-of-scope issue. According to Larson, “Being out-of-scope for PCI involves using a ‘hosted order page’ or HOP with your credit card processor. A HOP is a data entry screen provided by the credit card processor that is invoked whenever there is a request to process a credit card payment.”
By implementing a payment gateway solution that uses a HOP, a media company never enters any credit or debit card information in any of its circulation, advertising or other commerce systems. As Larson explains it, “The credit card processor takes the credit card data and stores it in their secure vault, verifies its validity, and returns a token. The token is a meaningless string of numbers that a publisher stores in its systems for future payment transactions. The token is sent back to the processor who matches it with the actual credit card information in the vault, and processes the payment. As a result, the publisher is as safe as possible when it comes to credit card malfeasance, and the media company is not subject to PCI auditing.”
PCI complacent? PCI compliant? A better option is to become PCI exempt. By never actually processing or storing sensitive customer payment information, a publisher’s PCI DSS obligations are significantly reduced. And, that’s the big benefit of a HOP solution in this confusing out-of-scope, in-scope world of PCI compliance.
To learn more about the various payment gateway and HOP options available for Newscycle Solutions’ circulation and advertising system customers, please visit www.newscycle.com/pci or write to firstname.lastname@example.org.
When it comes to digital transformation in the news media industry, there’s no need to belabor the backstory. It started back in the day when our publishers told us, “We need to get on the web, pronto.” This was circa 1995, when people still said “pronto” and some of us actually used the phrase “information highway” to describe this new internet thing. read more
For companies considering a new content management system, the choice often comes down to a decision between proprietary and open source. For those companies that prefer open source content management solutions, the choice then becomes whether to go with Drupal or WordPress or something else. read more
For more than 20 years, Secure Sockets Layer (SSL) has been one of the most widely-used encryption protocols. It remains in widespread use today despite existence of a number of security vulnerabilities and being deprecated by NIST (National Institute of Standards and Technology) in 2014. According to NIST, there are no fixes or patches that can adequately repair SSL or early TLS. read more