What is PCI DSS?
The PCI DSS is a binding standard of all credit card organisations and serves to protect card accepting companies and buyers from data theft. A prerequisite for effective PCI compliance is that PCI DSS compliance is mandatory regulated in the company’s GTC. In addition, proof must be provided regularly that the company continues to be PCI compliant.
The PCI security standards are based on the respective security rules of the credit card organisations VISA, Mastercard, American Express, Discover and JCB. All businesses that accept credit cards as payment methods are affected by these regulations. A distinction is made between:
- Large merchants and service providers with more than 6 million credit card transactions per year
- Merchants between 20,000 and 6 million transactions
- E-commerce merchants with less than 1 million transactions
Ein E-Commerce-Händler muss für Transaktionsabwicklungen einen PCI DSS-zertifizierten Service Provider beauftragen, um PCI-konformen Zahlungsverkehr anbieten zu können. Hierzu beraten und unterstützen auch Banken und Sparkassen und bieten oftmals eigene oder Partner-Händlerservices an, um Schwachstellenanalysen oder Sicherheitsprüfungen vor Ort vorzunehmen.
Die Nennung der PCI DSS-Konformität in den AGB ist allerdings erst dann möglich, wenn alle zwölf Anforderungen an das Rechnernetz eines Unternehmens erfüllt sind.
What are the requirements for PCI DSS compliance?
The PCI Rulebook, which every merchant or service provider must comply with, consists of twelve mandatory requirements:
- Installing and regularly updating the firewall to protect data
- Regelmäßige Änderung von Systempasswörtern oder anderer Sicherheitseinstellungen, sowie keine Verwendung vorgegebene Passwörter, etwa durch Lieferanten oder Hersteller
- Protecting the stored data of credit card holders is a top priority. This includes not storing them unnecessarily (e.g. only part of the credit card number and no PINs or verification codes)
- Encrypted transmission of cardholder data and sensitive information in open networks
- Use and regularly update recognised anti-virus software
- Development and use of secure systems and applications
- Ensuring that data access is limited to business purposes only
- Each person with computer access needs their own user ID
- Restricting physical access to credit cardholder data
- Recording and monitoring of all access to network resources and credit card holder data
- Regular review of all safety systems and process flows
- Establishing and adhering to a company policy that regulates the topic of information security
The PCI Security Standards Council offers more detailed Resources on the topic.
What does this mean in the subscription economy?
In addition to digital payment methods such as SEPA direct debit, Paypal or In-App-Purchase, credit-card payment is often used by subscription customers in Germany with a share of approx. 8%, even if its share of the payment methods used is dwindling in relative terms (see also billwerk Whitepaper “Subscription Based Services“). The PCI Data Security Standard must therefore be the basis for every subscription business model in order to maintain a trusting relationship with customers. The special feature of subscription-based business models is the recurring and automated process for which the customer has concluded a contract with the company.
So, on the one hand, a subscription provider must ensure convenient payment processing that does justice to a subscription; on the other hand, the security of the customer’s data and thus the limited storage of his data has the highest priority.
What are the benefits of PCI DSS?
A company that offers PCI DSS compliant credit card payment not only takes an enormous leap of faith with potential customers, but at the same time opens up the market of customers who prefer the credit card payment method. E.g. start-ups and companies in formation must be aware that credit card payment can only be offered as an option if they comply with the PCI regulations. What sounds like a lot of bureaucracy also has its good side operationally. Many service providers offer an all-round carefree package where the credit card payment method can be implemented with little technical know-how.
Conclusion: Future-proof safety standard
The PCI Data Security Standard is a globally accepted protection for buyers and sellers. Due to its integrity and prevalence, there is currently no reason to believe that this will change in the foreseeable future. What will change, however, are the security standards themselves. Ongoing updates to take account of the constant threats from outside are therefore imperative. The rules and checks described must therefore not only be introduced and constantly adhered to, but also always updated in a timely manner. Only in this way can customers, but also one’s own company, be protected from unwanted access and criminal acts.
Therefore, when selecting a subscription management platform and in the case of any in-house development, pay attention to PCI DSS compliance of the provider/developer. Ideally, this should be PCI DSS certified.