Three Tips to Help You Become PCI DSS Compliant
Handing off some basic elements of payment processing to vendors—and structuring your website thoughtfully—could help minimize the legwork needed for PCI compliance.
The Payment Card Industry Data Security Standard (PCI DSS) is a fundamental tool that many businesses rely on to ensure they’re accepting digital payments securely.
Associations have had to keep PCI DSS in mind when managing digital payments for years—it was, after all, around for at least a decade before the European Union’s General Data Protection Regulation (GDPR).
But as with many tech concepts, it can still be a bit confusing for association pros. Janelle Benefield, vice president for associations at AffiniPay, sees these issues frequently in her role, as broader trends in e-commerce and payments have changed over time.
“I think that there’s an appetite for associations to want to move forward but make meaningful decisions,” she said. “But they’re afraid of making the wrong decisions.”
PCI compliance, she noted, is often tied to something that can make or break the user experience: the process of paying.
“Where can my decision have the most amount of impact? And the pivotal member engagement point is payment,” she said. “How easy was it for a member to pay? There is no more important metric.”
With that in mind, here are a few tips from Benefield to help ease PCI DSS compliance within your organization:
Upgrade Your Payment Processing System
The PCI standard is a living standard that changes regularly (generally being refreshed every two to three years, with the latest version—a major update—expected by the end of March). As a result, it requires that organizations maintain their technology to support modern security standards.
Part of the need for this, noted Benefield, stems from the fact that the landscape around digital has shifted—and, naturally, continues to shift.
“The pandemic really threw a light on the fact that those systems need to be updated, and that there’s new technology in that space,” Benefield said.
Some areas where Benefield recommends investing are two-factor authentication for those who have to access financial data and the use of Google’s reCAPTCHA system, the latter of which is effective in fighting bot attacks.
Consider Using Hosted Forms
One important topic in security circles is the concept of an attack surface—or the idea that risk increases along with the number of entry points into a system.
The added exposure of payment systems can lead to an increased need for compliance coverage. If your organization is hosting financial data onsite through its AMS, your compliance process may be more demanding. It requires regularly completing the Self-Assessment Questionnaire D (SAQD), a form with hundreds of questions.
“That requires quarterly passing scans—not just to be scanned, you need passing scans,” Benefield said.
However, the addition of hosted forms—which are managed offsite by the provider of the technology, generally in a software-as-a-service approach—has helped. It’s a useful solution for managing payment options because it puts control of the financial data in fewer hands. Outsourcing the card transactions enables the use of a less complex form, the Self-Assessment Questionnaire A (SAQA).
“If they spend the time investing in something like hosted fields, not only will that save them time and make their site more secure with less liability, but it also future-proofs their organization,” Benefield said.
Build With Members’ Needs in Mind
A key way to ensure the process is compliant is to build with an understanding of how the end user is going to handle payments. For example, storing existing customer data in the system so users don’t have to enter it again when making a purchase not only cuts down on costs, but also helps minimize the number of times a user has to input payment information—which can lower compliance concerns.
“We just need to be smarter with the tools that we have today, with an eye to how we minimize PCI compliance [problems] and liability for the association,” Benefield said. “How can we make it easier for the members to engage and make payments and stay involved? And then how do we make it easier for finance to report to the board and to the ED?”
This kind of approach requires integration, but it might also require a look at what is deciding the process. Is the current approach to managing payments determined by an AMS vendor’s requirements or by customer experience? The chief technology officer might want to analyze this question, Benefield said.
“Are they building a good integration, and are they protecting the association? And are they offering modern features?” she asked. “I think the CTOs and the directors of IT really need to evaluate that.”
(CHUYN/iStock/Getty Images Plus)