Kount LogoBLog Against FraudKount Logo

Why PCI Compliance Matters

posted on: Thu Sep 15 2016

Handling payment card data – and the sensitive information associated with it – is a very fragile responsibility, and it’s vital that vendors in the payments industry take proper precautions for account data protection. That’s why, since its founding, Kount has chosen to be certified under the Payment Card Industry Data Security Standard (PCI DSS.) As many online and payment technologies have chosen not to become PCI complaint, we’ve often been asked what makes being PCI compliant so different? What does it take?

PCI Compliant

Well ask no further – we’ve dedicated an entire post on what being compliant means, what it takes, and the benefits of meeting this specific set of security standards put forth by the credit card industry's PCI Security Standards Council.

What it means to be PCI Complaint

The requirements for PCI compliance outlined by the PCI DSS involve protecting payment card data during processing, storage, and transmission, covering everything from technical and operational procedures. These regulations are necessary in protecting cardholder data, and vendors and merchants in the payment card industry that fail to comply can be hit with fines and penalties.

All merchants that accept online payments must adhere to the regulations of PCI compliance in order to provide a secure environment for the customer’s sensitive credit card information. By practicing proper PCI compliance, merchants will also be aided in easing the transaction process. Failing to comply can amount to, in addition to fines and penalties, higher transaction fees or service charges, which will act as a deterrent to the merchant, their customers, or both.

What it takes

Obtaining PCI compliance approval will be a slightly different process based on the size of the merchant, but the overall method is the same. Larger merchants often have more complex IT environments, and in such cases, bringing on a Qualified Security Assessor (QSA) can aid in the approval process. The QSA will perform on-site security assessments required by PCI DSS and can provide expertise in the process.

Here are some of the key features Kount implemented to receive PCI compliance certification:

  • No storage of cardholder data - Kount does not store cardholder data. Instead, all cardholder data is permanently converted to a format not readable by humans, using a SHA-1 hashing algorithm. The hashed values are then transmitted to a secured server. This helps ensure that account numbers can never be compromised
  • Secure application design - No cardholder data is received nor transmitted unencrypted and no personnel have access to cardholder data.
  • Secure infrastructure design - The combination of fault tolerant systems and continuous operations ensures that the availability and security posture of Kount Inc. is never degraded during routine maintenance.

However, for many small and medium businesses, the hiring of a QSA may be an unaffordable expense, and for these merchants, completing a self-assessment may be more appropriate and feasible. For these merchants, PCI DSS provides a Self-Assessment Questionnaire (SAQ), available on the PCI Security Standards Council website, for them to perform an internal assessment, which they will then submit along with the Attestation of Compliance to their acquirer, payment brand, or other requester.

And…the benefits

So after meeting this rigorous criteria, what are the benefits? Kount can reassure its customers that it meets the highest standards in the payment card industry to not only protect account data but also reduce or minimize the threat of data breaches and payment card fraud.  It’s been a way to give our fraud and risk strategy – and that of our customers – a boost.

In today’s age when data breaches are commonplace, it’s just good business. Maintaining PCI compliance allows merchants and payment processors to prevent enormous personal fallout from customers who can lose trust if their data is breached. Merchants and financial institutions will not only lose their business and credibility, but experience severe financial consequences and liabilities.

The full process may differ from business to business, so review the information available on the PCI SSC website. Though the whole process may seem arduous, it is of course both beneficial and necessary in protecting cardholder data and ultimately upholding the bottom line of merchant success! 

Prosecuting the Perps