Merchant Payment Processing: What You Really Need to Know About PCI DSS

The ability to take payment by credit or debit card is considered a vital tool by most business that have a merchant account, but it does also open them up to the possibility of receiving fraudulent transactions.

Payment Card Industry Data Security Standards (PCI DSS) is a security standard that was put in place to regulate any organisations that store, transmit or process sensitive credit or debit card information.

Swiping a credit card

Keeping payments as secure as possible

Businesses who have PDQ machines to take payments, have a certain amount of security built into the system anyway, but PCI DSS is designed to further reduce the risk of fraud and provide a level of protection to the consumer as well.

This security standard for the card processing industry is all about providing protection on both sides of the fence, with safeguards to protect your business from card fraud and protect customers at the same time.

Addressing a growing problem

Card fraud is a clear and present danger that is growing according to a study carried out by PWC.

If you have a business with less than 50 staff employed, card fraud could cost you on average somewhere between £65,000 and £115,000, so it is definitely a problem that needs tackling, which is why PCI DSS was introduced.

Achieving compliance

One way to achieve compliance with the regulations is to use a payments service or suitable software to process online payments, so that any transmission or storing of sensitive information is done on your behalf.

Merchant card services are also increasingly incorporating PCI DSS compliance as an add-on service for their small-business customers, so you should ask your current provider about this or see if there is an alternative provider that includes this.

Online payments

If you don’t have a store and simply take payments online via your website, you still need to ensure that you are fully compliant with the regulations.

Your merchant account services provider should be able to tell what you need to do with your e-commerce site. This will often involve using a hosted payment page provided by the acquiring bank, meaning that you won’t be holding any sensitive information directly.


If you want to handle and store card details in-house then you will definitely need to ensure that your staff are PCI DSS trained.

You will have to complete an annual compliance questionnaire and amongst other things, complete quarterly external vulnerability scanning using an Approved Scanning Vendor.

It is also vital that you do not store either the full magnetic stripe – track 2 data, and any PIN details or sensitive authentication data, even if it is encrypted.

The fundamental aspect to remember, especially if you have a PIN terminal on your business premises, is to ensure that any computer that is handling card data is always kept completely separate from the rest of your business data.

Suffering a security breach is not just about potential financial losses. It is also about maintaining your businesses reputation. Data breaches attract a lot of negative publicity and are bad for business, which is another strong reason to ensure that you are PCI DSS compliant.

Carl Robinson has been in business for several years now. When he’s not in the office, he’s sharing his insights with his readers online. You can find his informative articles mostly on business and merchant blog sites.

Photo credit: Tom Arthur / Flickr