Most credit card processing companies detail how they're a Payment Card Industry Level 1 service provider, meaning they adhere to the highest requirements of the PCI Data Security Standards.
This sounds great for online retailers, but they should do a little more digging to see how these companies handle data before seeking a partnership. Not all payment processing companies keep customer data completely off your servers. The ones that don't
may increase your burden in becoming PCI compliant.
The importance of PCI compliance
In an effort to stem payment fraud, American Express, Discover, JCB International, MasterCard and Visa formed the PCI Standards Security Council in 2006. Together, they established certain guidelines – the PCI Data Security Standards – designed to maximize
protection and prevent theft. Though becoming compliant isn't required by law, any business that handles card payments and isn't compliant is potentially liable in the event of payment fraud or a data breach.
The PCI Security Standards Council lists 12 requirements designed to meet six specific goals: build and maintain a secure network, protect cardholder information, establish a system that maintains security, limit access to sensitive data, monitor and test
networks and establish an overall security policy. Businesses with limited resources often have trouble with the second goal, which requires them to encrypt any cardholder data that passes through or is stored on their servers.
How the right credit card processing partner reduces your compliance burden
Any merchant that accepts card payments is required to validate their compliance to the PCI DSS on an annual basis. For larger companies processing over 6 million transactions per year, this validation is performed by a Qualified Security Assessor. Small-
and mid-sized businesses handling fewer annual transactions must complete a self-assessment questionnaire (SAQ).
There are various SAQs, and which one you complete depends on your business and how you handle payment transactions. Companies that outsource all operations that deal with cardholder data to a supplier that it PCI compliant – including storing information,
contacting a customer's issuing bank and transmitting data back and forth – complete Questionnaire A. This is the easiest, least-cumbersome SAQ, where businesses are simply asked a series of questions that indicate that they do not ever come into contact with
sensitive card information. The more payment data a business touches directly, the more involved the corresponding questionnaire.
What to look for when considering a processing partner
When searching for the right credit card processing partner, be sure to ask how their payment setup influences the SAQ you need to complete. As the PCI Compliance Guide noted, the best option for businesses is to outsource payment setup to a company that
keeps all cardholder information off your servers.
There are a few ways payment processors achieve this. One is to redirect customers off your website and to the processor's site when they hit the checkout button. This is beneficial for security, but not so good for maintaining your company's brand. You
lose control of the website's design, sacrificing your own logos, fonts and color schemes to your processing partner's. The change in visuals sometimes leaves customers disoriented, leading to greater cart abandonment rates.
Instead, you should find a credit card processor that uses hosted payment pages or iFrames to collect cardholder data. These are individual webpages that look similar to your website but are actually located on the processing company's servers. Hosted payment
pages let you incorporate the same colors that your company uses on the rest of its website. IFrames provide a little more flexibility in terms of fonts, images and word choice. Regardless, either one can save you thousands of dollars on security and compliance.