Are you a merchant planning to sell your goods and services online? Or are you already active in the e-commerce arena?
In either case, PCI DSS will become one of your daily concerns since you will need to operate in compliance with PCI DSS requirements. The Payment Card Industry Data Security Standards (PCI DSS) have been defined to guarantee the security of the online payment environment, so all e-merchants need to understand and apply these standards. There have always been questions about how the requirements of these standards apply and in what conditions. To help answer these questions, the PCI Security Council has now released the E-commerce Guidelines. This document will help online merchants identify their responsibilities and is a ‘must read’ for any e-commerce merchant or Payment Service Provider in order to achieve PCI DSS compliance.
The new E-commerce Guidelines aim to help online merchants understand the PCI DSS requirements in order to be compliant. The standard requirements are mandatory regardless of the type of goods and services the e-merchant chooses to sell; only the scope of application changes depending on the actor. Consequently, these PCI DSS E-commerce Guidelines are extremely useful in clearing up the confusion about the scope of application of PCI DSS (who/how/to what extent).
This document can help online merchants understand:
- How to adapt their business in order to comply with PCI DSS standards, depending on their particular situation/ business;
- How to choose their third-party service providers;
- How to secure customer payment data;
- Their responsibilities and the kinds of questions they need to ask of their service providers;
- The risks they need to evaluate when considering e-commerce solutions.
One of the key insights provided by the guidelines is that outsourcing the business to a PCI DSS supplier does not make the business itself PCI DSS compliant. Merchants still have responsibilities in regard to PCI DSS implementation and compliance and they have to be aware of this issue. Last but not least, from the third-party perspective, we strongly believe that it ‘takes two to tango’. All PSPs & Gateways partnering with online merchants bear some responsibility for training and informing their merchants; sharing the PCI DSS E-commerce Guidelines would obviously be a first step towards trustworthy partnerships and a secure online shopping environment.