How merchants can comply with data security standards for online payments

By Shemer Katz | 3 November 2014

All online merchants who process, transmit or store customer credit cards must comply with the Payment Card Industry Data Security Standard (PCI DSS or more commonly known as PCI compliance), a complex and demanding set of requirements for the protection of payment data.

For online merchants to manage their own PCI compliance is a very time consuming, costly and risky business. If a merchant is holding customers’ credit card details on file it makes that merchant far more vulnerable to malicious hackers, whereas if the merchant has outsourced PCI compliance and there are no credit card details on the merchant’s system for a hacker to attempt to steal then risks are greatly reduced.

Outsourcing PCI compliance to third-party payment providers has become an increasingly attractive option for merchants seeking to minimise the scope of their compliance efforts.  A key factor in merchants’ decision making has been the overwhelming complexity of PCI compliance. Working on compliance also means time spent away from profitable activities. It is well known that the cost of an assessment and implementation of in-house Level 1 PCI-related work can cost between $500,000 and $1m per year. Return on investment is why many merchants have begun to look for alternatives.

Having to fend off potential outside attempts at obtaining sensitive payment data, including well organised fraud attacks, has proved to cost even more time and effort than compliance itself, not to mention the legal repercussions in case of failure. When merchants outsource their PCI compliance, they cease to have value in the eyes of hackers and fraudsters. As all the card data is processed and stored by a third-party provider, hackers then start going after the providers, who are likely to have more robust security in place, and therefore are less likely to target the merchants.

For an online merchant it is important to reduce the red tape involved with PCI, to minimise risk and to reduce PCI scope (the regulatory protocols regarding the handling of customer card data). If properly done, outsourcing reduces or eliminates PCI scope, and minimising scope is the simplest way to achieve PCI compliance.

Merchants need to choose an outsourcing PCI partner carefully, otherwise they may not achieve the PCI benefits they were aiming for. If a merchant’s partner fails to meet PCI standards, that merchant is still responsible for PCI. Merchants need to make sure they are working with a reputable PCI outsourcing provider which is properly certified and uses the latest technology. Some companies claiming to offer PCI de-scoping (outsourcing) fail to indemnify the merchant against all PCI risk, and often leave customer credit cards records touching some of the merchant’s servers, so in effect the merchant is only partially covered. Ideally a merchant needs to take all their servers out of PCI scope, as basically any part of the merchant’s system which processes, stores or transmits cardholder data comes under PCI regulations. Another important consideration is the high availability of the service (repeat users will not be able to get service while the outsourcer service is not available).

This is the responsibility shift. A well-equipped outsourcing partner will handle transmission of data from end users to servers, and process all payments which includes encryption, decryption, BIN analysis, validation etc, all on a merchant’s behalf.  To protect the data, a competent outsourcer will use various mechanisms. One such mechanism is a robust risk management platform that uses fraud algorithms and a huge negative database built over many years.

Another way in which an outsource provider can remove a merchant from PCI scope is by the use of tokenisation whereby a customer’s card details (the primary account number – PAN) are replaced by a token that has no exploitable meaning or value, and takes the place of the card details. With tokenisation if a hacker were to gain entry to the merchant’s system all he/she would get would be the token which is going to be of no use as the hacker has no means of de-tokenization.

With an expert partner, outsourcing can easily lead to increased payment conversion and repeat user retention.


By Shemer Katz, General Manager, SafeCharge Israel

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development