These security standards were created to help prevent credit card fraud and hacking and to help protect against other security threats that a merchant or payment processor might face.

Does PCI apply to my business?

If your business accepts credit cards, then yes, you must comply with the PCI standards. Anytime anyone stores, processes or transmits credit card data, the standards apply.

What if I don’t comply with PCI standards?

According to the PCI Compliance Guide:

“The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine on downstream till it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees.  Penalties are not openly discussed nor widely publicized, but they can be catastrophic to a small business. ”

What’s involved in PCI compliance?

There are four different levels of PCI compliance:

• Level 1 PCI compliance is the most intense and expensive level to maintain. Level 1 PCI compliant companies are very large companies who process more than 6 million major credit card transactions per year. Payment gateways (e.g., Intellivative, PayPal, Verisign, Cybersource, etc.) and other payment solution providers typically are subject to this level of scrutiny.
  • Level 1 PCI certification requires an annual on-site security audit and quarterly system perimeter scans.
  • If you are a large merchant who outsources their payment processing to a Level 1 PCI compliant company (like Intellivative), the effort required to validate compliance may be significantly reduced.
  • ApprovedPayments is a sales outlet for Intellivative Payment Solutions. Intellivative consistently maintains Level 1 Compliance and offers cardholder data management features to minimize clients’ exposure to risk and greatly reduce the expense associated with validating compliance.
• Level 2 PCI compliance applies to merchants who process 150,000 to 6,000,000 major credit card company transactions per year. Level 2 compliance typically requires quarterly system perimeter scans and an annual compliance questionnaire (unless you employ a payment processor who is Level 1 Compliant).
• Level 3 PCI compliance is for merchants who process 20,000 to 1 million eCommerce transactions per year.
• Level 4 is for merchants who process less than 20,000 eCommerce transactions each year or who process up to 1 million transactions per year.

Regardless of size, any company that has had a security incidence may be subject to a higher level of compliance.

If I outsource my payment processing, I’m covered, right?

Not entirely. Outsourcing simplifies the process, but it doesn’t mean you’re automatically PCI compliant. You will still need to have sound policies and procedures for cardholder transactions and data processing and storage. Your business policies should cover how to protect cardholder data, and how to process charge backs and refunds. Also, make sure ALL the vendors that have access to sensitive cardholder data are PCI compliant, including your gateway, your shopping cart, your credit card terminal, etc.

Where can I learn more about PCI?

• Visit the PCI Security Standards Council
• See the PCI FAQs and Myths on PCI Compliance Guide
• Register for the PCI Knowledge Base
• Review the Visa® or Mastercard® payment data security information

Is ApprovedPayments PCI Compliant?

ApprovedPayments is a sales outlet for Intellivative Payment Solutions, which are fully PCI Level 1 compliant.

Apply today for a no-obligation quote for our PCI Level 1 compliant solutions.

Fraudulent orders can cost your business:

• the cost of the goods
• any shipping costs incurred
• cost of the employee’s time to process the chargeback
• the chargeback fee

Before you decide fighting fraud is important, however, consider what a fraudulent order costs your business vs. how much you make on each sale. If you are shipping physical merchandise where the cost of goods sold is significant, fraudulent orders are going to be more painful for you and fraud management is more important. On the other hand, if you are a business that offers an intangible product or service like music downloads, a fraudulent order may not cost you much. If the cost of a fraudulent order is negligible compared to what it would cost you to lose a legitimate sale, you may not want to worry so much about chargebacks and fraud. Security magazine offers an excellent article detailing this principle.

But if fraud is hurting your business, you can take measures to fight fraud using these five tips:

1. Process securely–and show it! If you’re processing payments over the internet, make sure your web site uses secure sockets layer (SSL) protection. SSL helps protect credit card numbers from being stolen en route.
   1. On every web page where you request sensitive information like credit card numbers, make sure your web address (URL) begins with https. Check for the lock symbol on the browser, too. These are the key things that eCommerce shoppers should be on the lookout for as they shop on your site.
   2. Show your visitors in a clear and noticeable manner how secure your web site is, particularly on checkout pages. This doesn’t help prevent fraud, per se, but can make a big difference in your online sales.
      • Consider using a security certificate on your web site that has enhanced security features, like the extended validation (EV) certificate from Verisign. With this type of certificate, if the online shopper on your eCommerce site is using a newer browser, the address bar will turn green indicating your site is secure and safe to be trusted. It helps boost trust and increase sales.
      • Believe it or not, the usability of your web site and a professional design affect how shoppers perceive the security of your site. If your site is usable, and the design is clean, users are more likely to trust it over a shoddy designed site with usability issues.
2. Use address verification & CVV Code, but consider other factors as well before rejecting orders
   1. Watch for suspicious purchasing patterns. Small initial purchases, followed by very large purchases, for example, can be a sign of fraud. In the initial purchase, they are “testing” the card to see if it works.
3. Be careful when handling customer data
   1. The cost of stolen customer data can be great, especially when you consider the damage to your business reputation. Handle sensitive cardholder data with special care–and don’t store anything more than you have to.
   2. PCI compliance–yes, you really do need to be payment card industry compliant. PCI guidelines were made to help merchants combat fraud.
   3. The cost of PCI violations can be big, so make sure you are PCI compliant.
4. Use a payment gateway
   1. A gateway provides quick, easy access to transaction detail
   2. A payment gateway automatically handles the payment processing in a secured manner
5. When you get a chargeback:
   1. Dispute whatever you can reasonably prove. If you have evidence that a chargeback is not justified, go ahead and send it in.
   2. If you have a recurring business, immediately shut down recurring payments associated with chargebacks. It’s hard to prove you were justified to continue charging a customer after they’ve submitted a chargeback. Save yourself the hassle and cancel the recurring payment right away.
   3. Don’t rely on reason codes alone. Make sure you investigate your chargebacks and know what happened.

Most importantly, make sure your payments provider is PCI compliant.

ApprovedPayments offers payment solutions via Intellivative, a PCI Level 1 Compliant provider. Apply today for a no-obligation quote, and see how our PCI compliant solutions can help your business combat fraud.