PCI compliance is compulsory for every e-Commerce merchant that accepts credit or debit card payments on their website. This is because, every information entered by customers is private and sensitive data, so it must be well-protected.
If you accept, store, process, or use credit card data in your business, you are subjected to PCI DSS compliance requirements. In early September, there was a massive cyber security incident Equifax, which may have exposed private information belonging to 143 million people. Equifax is a consumer credit reporting agency, which is one of the big-three credit bureaus in America.
This Equifax breach is at its worst as hackers were able to steal the social security numbers, birth dates, addresses, driving license numbers and credit card numbers. Equifax has confirmed that 209,000 US consumers’ credit card numbers were taken. Hackers are becoming more experienced and advanced with their tactics and some of the most defenceless organization are call-centres. Wonder why call centres might be the most defenceless organization? When you make a phone call to a call centre, they will usually use private information to identify whom they’re speaking with, and they literally can process payments over the phone. The consequences of a data breach can hurt to big business and lost customer trust. This is why, organizations must invest in security measures to protect their customer’s data.
In Malaysia, the Personal Data Protection Act 2010 (Act 709), an Act to regulate the processing of personal data in commercial transactions and to provide for matters connected therewith and incidental thereto. Personal Data Protection Act 2010 (‘PDPA’), was passed by the Malaysian Parliament on 2 June 2010 and came into force on 15 November 2013. PDPA comprises seven key principles that must be adhered to protect the integrity of personal data. With this principles in place, users and e-Commerce players need to be more cautious and confident that their personal information is well protected, else they will face the penalties. Below is the infographic just to show a few penalties.
Other than penalties, companies also have to face other consequences when they failed to protect their customer payment information, such as:
Other than financial penalties showed above, stores will also face a PR crisis. For example, if your store or business name is on the news for losing customer sensitive information such as credit card information to the hands of hackers, this will result in the numbers of customers, who shop at your store, dropping down as they won’t have the feeling of security and will trust you less.
Bank and payment processors (Visa and MasterCard) will take your merchant account away due to breach of security. Without a merchant account, your business will no longer be able to accept payments online. Your business information will also been registered under the blacklist.
3. Legal dispute
If you lose your customer credit card information to hackers, the customers have the right to sue your company for breaching the PDPA. In Malaysia, customers will use the Personal Data Protection Act 2010 (Act 709) to sue you for negligence.
One of the ways that merchants, organization and banks, can do protect their business is by implementing a respectable payment solution provider, that is in compliance with PCI DSS Level 1.
Why do you need a PCI-DSS compliant payment solution provider?
Many new e-Commerce business owners might put off choosing a payment gateway or terminal system for a long-time. That is understandable as business owners do not want to bring a third party into their business, but how do you know if a terminal or payment gateway is the right one for you and which one to choose? The good news is, the right solution can actually simplify and make your business easier for you with less hassle. For example, payment gateway can carry off a portion of your company’s payment card industry’s compliance burden. This can ease the burden of merchant from applying for a PCI DSS certificate and helps to avoid the hassle related to auditing.
A right and reputable payment gateway can help e-Commerce owners to meet the PCI compliance. The question is, how? First of all, payment gateways themselves must be certified for PCI compliance. Most payment gateways, like iPay88, have been certified with Payment Industry Data Security Standard (PCI DSS) compliance Level 1. Click here for more info about PCI DSS.
So, one advice for merchant and e-Commerce business owners outside there, choose a payment gateway that is meeting the standards of PCI DSS compliance and look at the pros and cons of each payment gateway before choosing one. You could search for the publicly available list of PCI-approved gateway from either VISA website or MasterCard website. The list will show you all providers around the globe and the expiration date of their current certification.
Now, iPay88 as a leading and award-winning regional payment company in South East Asia, iPay88 is fully in compliance with PCI DSS level 1 standards. In addition with the PCI DSS certificate, iPay88 does have an anti-fraud system which is “ZepSecure” to protect customer information as well as against internet. You could contact us for a free consultation and learn more about how to minimise your online fraud risk and protect your customer data now.