Simplifying PCI: What are the risks and how can merchants remove the burden of compliance?

18 / 01 / 2024

Payment Card Industry PCI requirements are a minefield of acronyms and, for many merchants, it can be difficult to understand exactly what they need to do to ensure they are compliant In brief, the PCI standards are a security compliance frameworks that merchants must maintain in order to take physical and or digital card payments either in store, online or on their mobile. Without PCI compliance, merchants will not be able to work with an acquirer and may also be fined by the card schemes including Visa and Mastercard.

4 min.

cheerful shop owner scanning a credit card

Please note that the  type of reporting required depends on the total volume of card transactions processed by the merchant annually online and in store.

There are a number of different standards that merchants should be aware of: 

  • PIN Transaction Security (PCI PTS) covers physical payment terminals.
  • Data Security Standard (PCI DSS) for ”environments” – entities that process card data including both Merchants and Service Providers.
  • Point to Point Encryption (P2PE) for services that are used by merchants to reduce their PCI scope.
  • MpoC/CPoC/SPoc (“COTS” solutions) for services that allow merchants to use Consumer Off The Shelf devices such as phones and tablets to take payments in a secure manner.

Merchants must manage their payment assets securely, ensuring cardholder data is secured. To do this, they may use a PCI Point to Point Encryption (P2PE) solution. This refers to the process of card data being encrypted at source on a PTS certified payment terminal and staying encrypted until reaching the P2PE service provider systems. By utilising a PCI P2PE solution, the merchant’s PCI compliance burden is much reduced. This reduction only applies to merchants using certified P2PE solutions listed on the PCI Council website: Official PCI Security Standards Council Site – PCI P2PE Solutions.

young asian woman shopping online for flight tickets on airline website with laptop entering credit card details

Worldline has a dedicated support team to assist our merchant partners with any questions or concerns, but there are some of the frequently asked questions and queries we hear from merchants.

What are the potential risks of PCI compliance for merchants?

Not complying with PCI regulations can result in fines and extra costs when processing card payments. However, even more importantly, if a merchant is a victim of a data breach which exposes card holder data and is not PCI compliant, then they may receive even larger fines and be subject to even more stringent compliance obligations.

What are the complexities involved with ensuring PCI compliance?

Compliance must be maintained at all times and reported every year. The PCI standards themselves also evolve every three years. As a result, merchants must remain continually vigilant to remain compliant in a system that is necessarily fraught with complexities. Large merchants may need to engage a Qualified Security Assessor (QSA) or employ an Internal Security Assessor (ISA) who is trained to assess and validate those merchants to comply with all the requirements in the prevailing version of the standard. To maintain these requirements, the merchant may have to put in place measures including network scans, penetration tests and staff training, while ensuring their payment devices are also managed properly. The cost and effort of maintaining a PCI-compliant environment can be significant.

How can Worldline Retail Suite help simplify the PCI minefield?

Our payment gateways, for both in-store and online transactions, have met the highest level of PCI DSS scrutiny and compliance for many years. In addition, our store payment gateway was one of the first to be listed as PCI P2PE compliant. Therefore when a merchant uses our P2PE solution, the burden reduces from meeting all of the requirements to filling in a short self-assessment questionnaire as card data has been removed from the merchant environment.

On top of easing their security fears, merchants can benefit from CRM tokens, which act as a substitute for the actual card number so that merchants can track and understand their customers' behaviours, both online and in-store without needing to protect the valuable data related to the actual card used. When a customer shops online a merchant would have access to a lot of customer information such as name and email address to track spend and behaviour. With our solution, when a customer shops in-store using the same card, merchants can similarly track their behaviour giving valuable insight into how customer spending evolves and responds to changes over time. Of course, any customer data will need to be managed according to GDPR.

How else can merchants make sure their customers have a secure, yet swift payment experience?

Merchants can only use a provider that is PCI compliant but just as important the provider needs to have the ability to offer a reliable, fast and scalable platform. Reliability is imperative so that transaction behaviour can be monitored to detect anomalies. For example, the ability to compare the current number of transactions declined on the same day in a previous week enables merchants to detect problems with either a specific store or elsewhere in the transaction processing before the merchant’s head office even notices the issue. 

Speed is increasingly important in a digital climate where consumers expect to make purchases almost instantly. It is critical therefore to have scalability that enables merchants to expand problem-free when they gain new customers, open new stores or move into the online or mobile domains.