The card brands require all merchants to comply with the Payment Card Industry Data Security Standards (PCI DSS) which are designed to prevent the theft of sensitive cardholder data.
A cardholder data security breach not only costs the impacted business thousands of dollars in fines, but it can also damage its reputation. According to the Verizon® 2015 PCI Compliance Report, 69% of consumers would be less likely to do business with a breached organization; meaning on top of hefty fines, you also have to consider the loss of future sales.
Validating compliance is hard for some, easy for others
The process of validating compliance with the PCI DSS for most small and medium-sized businesses involves annual completion of a Self-Assessment Questionnaire (SAQ) and depending on your environment, undergoing quarterly external vulnerability scanning performed by a qualified security assessor. The SAQ a merchant is required to take is dependent on their payment processing environment. Merchants who use point of sale (POS) systems with integrated payments where the cardholder data passes through the POS system and is sent to the upstream provider over the internet qualify to take SAQ version C or D.
These versions of the SAQ are lengthy and when going through them, most merchants come to the realization that there are many aspects of their operation which are not in compliance with the standards. By contrast, merchants who use traditional payment terminals to process their transactions can qualify to take SAQ version B or B-IP. These versions of the SAQ are much less involved and when going through them, most merchants find very few aspects of their operation which require remediation in order to achieve and maintain compliance.
The reason merchants using traditional POS systems have a harder time validating and maintaining PCI DSS compliance is because their entire internal network that houses their POS system becomes subject to the PCI DSS requirements. In other words, every component and endpoint on the merchant’s POS network, including those that do not handle cardholder data, must be fully secured because the compromise of one, can lead to the compromise of the others. On the other hand, merchants who use traditional payment terminals are able to limit exposure to sensitive cardholder data to purpose-built devices that have very small attack surfaces and that encrypt data in transit (in the case of IP terminals). When hackers break into a merchant’s network who uses payment terminals, the odds of them getting their hands on sensitive cardholder data are significantly diminished.
Security advancements in payment technology for POS systems
Thanks to the progressive thinking of payment technology companies, POS system developers are starting to take advantage of newer payment integration solutions which help minimize data security exposure and ease PCI compliance burdens for merchants. Payment Logistics is helping to drive this transformative change in the industry with our flagship Paygistix™ Client payment integration technology. When a POS system developer integrates with Paygistix™ Client, merchants using their system can maintain the benefit of integrated payments in their POS system while minimizing their scope of PCI DSS compliance to that of a traditional payment terminal.