Hello!
We have prepared this post for those who work in the field of e-commerce and plan to accept (or are already accepting) payments on their own website. We will tell you about the PCI DSS international data security standard. Let's talk about its basic requirements for the information infrastructure, which ensures the processing and security of bank card data. We will also look at the main reasons for passing certification and the opportunities that a certified company receives.
PCI DSS (Payment Card Industry Data Security Standard) is the data security standard of the payment card industry. The standard was developed by international payment systems Visa and MasterCard. Any organization planning to accept and process bank card data on its website must comply with PCI DSS requirements.
There are 4 levels of PCI DSS certificates, which primarily differ in the maximum possible number of transactions processed:
We are annually certified for compliance with PCI DSS requirements. For us, as a processing center, compliance with PCI DSS Level 1 requirements is mandatory. Such a requirement is imposed by international payment systems (MPS) on companies providing Internet acquiring services.
Enterprises selling goods or services over the Internet are certified for compliance with PCI DSS requirements for a number of reasons:
PCI DSS certification allows you to work with banks directly through the payment interfaces of the bank and the Internet enterprise itself. This prevents the buyer from going to a third-party site. In addition, building your own payment system allows you to work directly with several banks at once, "balancing" between them, and build a system of "cascading" payments. When making a "cascade" payment, its authorization is carried out sequentially in several banks and processing centers, which can significantly reduce the percentage of rejected transactions.
But independent work with banks gives the company not only an advantage in adapting the payment system "for itself". It obliges the company to take on the fight against fraudulent operations when processing bank card data on its website. In other words, the company needs to build its own system for monitoring and combating fraudulent transactions (anti-fraud). The task of the anti-fraud system is to filter transactions that are identified as fraudulent according to a number of indicators (for example, a mismatch between the issuing bank and the country of payment or residence of the payer).
At the stage of building and debugging an anti-fraud system, it will take a lot of time to collect and analyze data on bank card transactions. The purpose of data collection is to identify the hallmarks of fraudulent transactions. In the process of collecting statistics, the company will have to face a large volume of "charge-back" transactions.
Building your own anti-fraud system is logical and financially justified for companies with a large turnover of payments by bank cards. For these companies, flexibility and complete control over their payment filtering system is critical. Plus, such a company has the opportunity to allocate resources for the development and continuous development of technologies and tools of its own “mini processing center”.
It should be noted that in risk monitoring it is difficult to find a better service provider than a processing center. Due to its diversity and significant number of clients, PC has an extensive history of monitoring and filtering. Even if a company is building its own anti-fraud system, it can submit transactions that are questionable to internal risk specialists for processing in the processing center.
To make an informed decision about choosing a method for processing bank card data, it is necessary to evaluate all components of the process from submitting documents to supporting cardholders. In order to make the decision easier, we compared the two main approaches to receiving and processing bank card data: if the data is entered on a third-party site (for example, a PC) - and if the data is entered on the company's website with subsequent authorization of the payment at the bank.
Thus, if a company is going to pass PCI DSS certification and independently process bank card data on the site, all PCI DSS requirements apply to it. They cover security at the level of networks, hardware, applications, databases, physical storage, documentation and process control. And, as mentioned above, building an anti-fraud system and a billing system is a difficult and time-consuming task, and is also performed by the company independently.
Companies that work only with a payment gateway and do not accept customers' bank cards on their data only include the requirements of the Payment Gateway Risk Department (PC). They relate to the site of the e-commerce enterprise, the correctness of the content and price offers, the organizational form of the company.
If after reading this post you have any questions - write in the comments. Evgeny Bezgodov aka Bezgodov, executive director of the company Deiteriy, CISA, PCI QSA, will consult you on the part of the auditor and specialist in the requirements of the PCI DSS standard. From the side of the payment gateway, as always, specialists of the PayOnline processing center are in touch.
We have prepared this post for those who work in the field of e-commerce and plan to accept (or are already accepting) payments on their own website. We will tell you about the PCI DSS international data security standard. Let's talk about its basic requirements for the information infrastructure, which ensures the processing and security of bank card data. We will also look at the main reasons for passing certification and the opportunities that a certified company receives.
PCI DSS (Payment Card Industry Data Security Standard) is the data security standard of the payment card industry. The standard was developed by international payment systems Visa and MasterCard. Any organization planning to accept and process bank card data on its website must comply with PCI DSS requirements.
There are 4 levels of PCI DSS certificates, which primarily differ in the maximum possible number of transactions processed:
- Level 4 allows you to process up to 20 thousand transactions per year. PCI DSS compliance requires a quarterly ASV scan and an Annual Self-Assessment Questionnaire (SAQ)
- Level 3 allows you to process from 20 thousand to 1 million. transactions per year. Certification requires both a quarterly ASV scan and completing a self-assessment sheet (SAQ).
- Level 2 allows you to process from 1 million to 6 million transactions per year. Certification of PCI DSS compliance requires a quarterly ASV scan and a self-assessment sheet (SAQ). However, after June 30, 2012, in order to fill out the SAQ at this level, it will be necessary either to send your own employees to specialized training, or to involve an auditor company (PCI QSA).
- Certification for compliance with PCI DSS Level 1 requirements is carried out only with the involvement of an independent auditor (QSA) and allows you to process more than 6 million transactions per year. The certification procedure includes a survey of the company's information infrastructure, the development of recommendations and regulatory documents necessary to comply with the standard, and consulting support during implementation.
We are annually certified for compliance with PCI DSS requirements. For us, as a processing center, compliance with PCI DSS Level 1 requirements is mandatory. Such a requirement is imposed by international payment systems (MPS) on companies providing Internet acquiring services.
Enterprises selling goods or services over the Internet are certified for compliance with PCI DSS requirements for a number of reasons:
- Conversion. Companies fear the loss of part of their payments when they go from the cart to a separate payment page.
- Image. Sometimes large companies do not want the client to go from the company's website to the website of a third-party organization (bank or processing center) to enter bank card details.
- Technical tasks. The company needs to build its own high-tech payment processing scheme, focused on the specifics of the business.
PCI DSS certification allows you to work with banks directly through the payment interfaces of the bank and the Internet enterprise itself. This prevents the buyer from going to a third-party site. In addition, building your own payment system allows you to work directly with several banks at once, "balancing" between them, and build a system of "cascading" payments. When making a "cascade" payment, its authorization is carried out sequentially in several banks and processing centers, which can significantly reduce the percentage of rejected transactions.
But independent work with banks gives the company not only an advantage in adapting the payment system "for itself". It obliges the company to take on the fight against fraudulent operations when processing bank card data on its website. In other words, the company needs to build its own system for monitoring and combating fraudulent transactions (anti-fraud). The task of the anti-fraud system is to filter transactions that are identified as fraudulent according to a number of indicators (for example, a mismatch between the issuing bank and the country of payment or residence of the payer).
At the stage of building and debugging an anti-fraud system, it will take a lot of time to collect and analyze data on bank card transactions. The purpose of data collection is to identify the hallmarks of fraudulent transactions. In the process of collecting statistics, the company will have to face a large volume of "charge-back" transactions.
Building your own anti-fraud system is logical and financially justified for companies with a large turnover of payments by bank cards. For these companies, flexibility and complete control over their payment filtering system is critical. Plus, such a company has the opportunity to allocate resources for the development and continuous development of technologies and tools of its own “mini processing center”.
It should be noted that in risk monitoring it is difficult to find a better service provider than a processing center. Due to its diversity and significant number of clients, PC has an extensive history of monitoring and filtering. Even if a company is building its own anti-fraud system, it can submit transactions that are questionable to internal risk specialists for processing in the processing center.
To make an informed decision about choosing a method for processing bank card data, it is necessary to evaluate all components of the process from submitting documents to supporting cardholders. In order to make the decision easier, we compared the two main approaches to receiving and processing bank card data: if the data is entered on a third-party site (for example, a PC) - and if the data is entered on the company's website with subsequent authorization of the payment at the bank.
| Bank card data is entered on the company's website with subsequent authorization of payments (for example, in a bank) | Bank card data is entered on a third-party website (for example, on a secure payment page of the PC) | |
|---|---|---|
| PCI DSS | Certification for compliance with PCI DSS requirements is required. | Certification is optional. |
| Connection | To receive payments directly, you need to independently connect to the bank. The bank's decision depends, among other things, on the company's turnover. | To connect, you need to transfer a package of documents to a personal manager who will interact with the bank and prepare an agreement. |
| Commission | The commission charged by the bank for processing payments ranges from 2% of the transaction amount and depends on the volume of turnover and the scope of the company. The percentage of the commission received by the client from the bank directly is often equal to the percentage provided by the PC. This is due to the “wholesale” working conditions for the processing center and a high level of transaction monitoring reliability, in which the bank is interested. | The commission charged by the PC for processing payments and a range of additional services ranges from 2.5% of the transaction amount and depends on the volume of turnover and the scope of the company. |
| Accounting department | The company is independently engaged in interaction with the bank on accounting and payments. Compiling reports requires active work with the bank and building your own billing system. | The billing system of the PC provides customers with the ability to make online accounting of transactions. The ability to independently upload accounting documents (act, detailed statement of the PayOnline system, invoice) in the interface of your personal account. |
| Payer support | To provide qualified support to payers, you need to organize your own Call-center or buy third-party services (from 25,000 rubles / month for the work of a specialist). If you already have a Call Center, you need to conduct additional training for specialists to work with cardholders. It also requires the construction of a Call-center infrastructure: software, telephony. | Support for cardholders making payments in your online store is carried out by the specialists of the Call Center of the PC. |
| Monitoring transactions | Monitoring of transactions should be carried out by qualified staff of the e-commerce company that processes bank card data. Risk specialist salary - from 35,000 rubles. / month | Monitoring of transactions, including software, is carried out by specialists of the PC Risk Department. |
| Iron | Server investment required to be certified and secure. The amount depends on the Level-a certificate and the proposed infrastructure. | You do not need additional expenses for the development of the server part, since transactions are processed on the secure servers of the PC. |
| Development of | To organize self-acceptance of payments, it is necessary to develop or purchase a billing system, including services for secure data transfer to the bank, secure forms for accepting payments, and additional interfaces. A permanent job of a highly qualified specialist is required at a cost of at least $ 1000 / month | To connect to the processing center, a one-time involvement of a developer is required to implement the payment form on the company's website. If necessary, a branded payment form is developed by PC specialists. |
| Acceptance of payments on the site (without switching to a third-party resource) | You process bank card data on the website without going to a third-party resource. | It is possible to accept payments without a direct link to the PC site using IFrame technology. |
Thus, if a company is going to pass PCI DSS certification and independently process bank card data on the site, all PCI DSS requirements apply to it. They cover security at the level of networks, hardware, applications, databases, physical storage, documentation and process control. And, as mentioned above, building an anti-fraud system and a billing system is a difficult and time-consuming task, and is also performed by the company independently.
Companies that work only with a payment gateway and do not accept customers' bank cards on their data only include the requirements of the Payment Gateway Risk Department (PC). They relate to the site of the e-commerce enterprise, the correctness of the content and price offers, the organizational form of the company.
If after reading this post you have any questions - write in the comments. Evgeny Bezgodov aka Bezgodov, executive director of the company Deiteriy, CISA, PCI QSA, will consult you on the part of the auditor and specialist in the requirements of the PCI DSS standard. From the side of the payment gateway, as always, specialists of the PayOnline processing center are in touch.
