Today, we are continuing our theme of looking at services provided by full-service fulfillment companies. Today’s topic is Payment Processing and PCI Compliance.
Payment processing is an area of order fulfillment with fewer, but considerably more tricky, options than we talked about in the Order Management article last week. Some fulfillment providers simply do not get involved with payment processing because of the risks and regulations.
A website owner needs to decide what forms of payment to accept. The most common options are checks and credit cards although options have expanded to include digital cash, smart cards, electronic checks, and other technologies. We will talk more about these options in a later blog.
Credit card payments are accepted through either merchant accounts or through third-party providers (also known as payment gateways) such as PayPal, Authorize.net, or Intuit. Both options have merit and the costs vary greatly according to provider and volume of orders.
Being involved with payment processing means that a fulfillment services provider must be compliant with a standard called the Payment Card Industry Data Security Standard (PCI DSS). The standard was created to reduce the potential for fraud by increasing the controls around cardholder data. Annual validation of compliance is mandated for large processors.
There are six main requirements for PCI compliance. The vendor must:
1. Build and maintain a secure network
- Install and maintain a firewall configuration to protect cardholder data.
- Not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
3. Maintain a vulnerability management program
- Use and regularly update anti-virus software.
- Develop and maintain secure systems and applications.
4. Implement strong access control measures
- Restrict access to cardholder data by business need-to-know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
5. Regularly monitor and test networks
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
6. Maintain an information security policy
- Maintain a policy that addresses information security.
PCI compliance is an important conversation to have with a fulfillment services provider. What steps are being taken to protect your clients’ information? Is data sent only over secure ftp sites? Are computers monitored for malware? Is staff trained to handle confidential information?
Data breaches are serious, and the security of customer payment data is directly related to the image of your brand, the retention of your customers, and the sustainable profitability of your business. Don’t leave it to chance.