Thanks to PCI compliance, it is relatively safe for people to use their credit cards when they shop online.
This wasn’t always the case.
In the beginning days of e-commerce, online shops were forging new territory online. Payment options weren’t always accessible or easy to implement.
Before PCI Compliance: The Story of CyberCash
One of the first companies to provide an online payment solution was CyberCash, Inc. The company was the first to come up with the concept of an “online wallet” and helped pioneer secure online transactions. It is in no small part due to CyberCash that we have secure online shopping and secure data transactions.
Despite their efforts, CyberCash had issues. They were allegedly hacked in 2000, though the company denied it. Also in that same year, they had issues with the Y2K bug, despite doing their best to prepare for it. Users simply had not updated their software.
CyberCash went bankrupt in 2001, and the brand was eventually acquired by VeriSign (later bought by PayPal).
Part of the issue with CyberCash might have been that implementing the solution wasn’t that easy. It was certainly not a “plug and play” solution. Setting up the CyberCash payment system required some technical knowledge.
Back in those days, small business owners usually had to hire a website designer to create a website. Hosted website solutions with easy to use templates were simply not an option.
WordPress, a very popular free and open-source content management solution, was not even launched until 2003.
Before then, using something like CyberCash, even though it was designed for online business, was still difficult.
What Unsecure Credit Card Transactions Can Look Like
Because of the difficulties, many small businesses just did not do a good job with credit card security. Many people today would be shocked to find out that sometimes, small online shops would actually collect credit card numbers without any security at all.
One way would be to have the shopping cart software on the website simply send the credit card number, unencrypted, and in plain text, in a regular, unsecure email. These card numbers would then be collected and processed manually by staff.
This method of collecting credit card data was only slightly more secure than sending a credit card number on the back of a postcard.
This practice was unfortunately, while not necessarily common, still in usage in the mid-2000s.
The Creation of PCI Compliance Guidelines
As online fraud and stolen credit card data became more and more of a problem, the credit card industry took action.
On December 15, 2004, the first version of the PCI Data Security Standard was released. This was created by the Payment Card Industry Security Standards Council (PCI SSC), formed by various credit card companies.
The PCI standard has guided the development of e-commerce for more than a decade. It continues to evolve. In April of 2016, version 3.2 was released.
PCI compliance is not mandated by federal law, but no matter how big or small your business is, credit card companies expect you to abide by the guidelines.
Fortunately, this is much easier today than it was during the times of CyberCash. Many online e-commerce tools incorporate security and compliance, so you don’t have to worry about the technical aspect. Other companies provide compliance support for developers building custom applications.
For example, Amazon’s AWS Cloud Compliance is a comprehensive service that provides compliance auditing and governance for its customers.
12 Official Requirements for PCI Compliance
The official requirements for PCI compliance apply to both small and large companies. They include:
- Use of a firewall
- No default passwords or security parameters
- Protection of stored cardholder data
- Encryption of card information on public networks
- Security measures to fight malware and viruses
- Development of secure systems
- Access of cardholder information given only on a “need to know basis”
- Authentication required to access parts of the system
- Restriction of physical access to credit card information
- Monitoring of network and cardholder database
- Regular testing of systems to ensure security
- Development and implementation of an information security policy
While that list may seem overwhelming, these days, it is much easier to implement than CyberCash used to be.
Most small businesses can simply use a PCI-compliant online shopping cart, which will cover most of the technical requirements. The information security policy could potentially be developed with a boilerplate.
PCI Compliance Can Actually Help Your Business
While compliance may involve high standards, it can actually benefit your business.
It doesn’t help your company to have credit card fraud as the norm. Unscrupulous people who input fake credit card numbers into your shopping cart can steal goods and services, causing a lot of lost revenue.
By following the rules set by the Payment Card Industry Security Standards Council, your business has much greater protection from hackers and other fraudsters online. Because of this, selecting a shopping with built-in PCI compliance in is to your advantage.