Posted January 24, 2020 by FreedomPay

Navigating the Payment Gateway Ecosystem

We live in an open world – open for choice, collaboration, and opportunity. Being open involves connecting and networking in new ways and in the context of the retail environment, that means building and growing new ecosystems.

While most are familiar with the ecosystems that already exist between retailers, acquirers, and banks, a new set of digital and cloud-based ecosystems continue to emerge that delivers a plethora of next-generation, value-added services straight to the point of sale (POS) or online checkout. At the heart of this is the commerce and payment gateways that act as central hubs, linking the various data flows and platforms within expanding retail ecosystems.

It’s time to rethink gateways.

The concept of the commerce gateway as a doorway to an exciting ‘plug and play’ service playground is still new to many retailers. To help them navigate their way through the complexity, we’ve put together a quick guide to help them understand the changing role of the payment gateway in facilitating these new ecosystems:


  • Expanding portfolio of APIs and Toolkits

Gateways now offer powerful APIs that allow merchants to connect with thousands of third party scripts and shopping carts while also aiding the development of new applications through toolkits and plug-ins, developer portals and sandpits. With these added APIs, retailers can create their own subscription services, on-demand marketplaces, or even crowdfunding platforms using a range of development languages, including Ruby, Python, PHP, and Java. Some gateways will also support hundreds of currencies and offer features such as mobile payments, subscription billing, and one-click checkout.


  • Fast to market plug-and-play marketplaces

Payment gateways are increasingly offering access to their own pre-built app marketplaces – packed with third party offerings that can be used to enrich retailers’ checkouts – from loyalty gamification and e-charity donations to bill splitting and currency conversion. These can dramatically reduce the time to market of launching new POS services, allowing merchants to browse, choose and deploy apps instantly, or remove them, as consumer and market needs dictate. In this way, they can try-out, evaluate and opt for the best service apps for their audiences without committing to long-term lock-in.


  • Secure access and sharing

Modern commerce platforms can separate out payment transactions from service platforms, to ensure that sensitive payment data is never compromised within the ecosystem. Equally important is their ability to deliver multiple user support and logins so that service teams and other business functions (including accounts and compliance) can access reports and specifically authorized features. It goes without saying that these also ensure a visible audit trail that links specific actions to authorized users. In addition, gateways can also provide custom security settings as well as anti-fraud capabilities to ensure that the transaction path is secure at all times, protecting against fines, fees, and chargebacks.


  • Tracking complex customer journeys

To aid targeting, personalization and more effective loyalty incentives, offers and promotions, it makes sense to be able to track customers and their journeys across retail ecosystems – between brands, channels, and locations. The gateway can aid this using tokenization, to ‘follow’ the customer through various journeys by allowing payment methods to be linked to transaction activity. Through data anonymization, information such as what, when, where, and how purchases and interactions were made can be shared across functions and brands within the ecosystem, without compromising sensitive cardholder or payment data.


  • Relationships must be reengineered, too

From Alibaba and Amazon, the development of the retail marketplace as an aggregated website is reshaping the global definition of the retailer and the sales ecosystem. Brands are now squeezing their way in between retailers and their customers, particularly in new e-marketplaces inclusive of review sites and comparison sites, payment providers, loyalty apps, returns companies, influencers, and social media.


Retailers can’t afford to wait for the customer to be ready to purchase their product, they need to get closer to them before they decide to buy. Owning or running a commerce gateway allows retailers to build their own ecosystems that put customers’ desires and needs first by enabling them to find new ways to interact (content marketing, geolocation and push services) and to personalize experiences.

Check out our blogs on DPN, tokenization and business intelligence for more ideas on how to fast-track to success!


Posted January 22, 2020 by FreedomPay

Top 5 Challenges Facing Retail CTOs in 2020

Retailers are embracing a range of disruptive technologies that are set to fundamentally change the way they interact with and service their customers.

But what does this mean for the executives running the operations behind the scenes?  How are they coping with the pace of change and what are the challenges that will impact their IT strategies in the months ahead?

As we continue working closely with CTOs in leading retail and hospitality brands, we’ve put together some of the topline issues they’ll be wrestling with in 2020:

Legacy management and smashing silos

Mobile, cloud services, big data, analytics, and social media rank highest among the technologies that CTOs see as transforming retail from the way we know it. Yet for many, leveraging these trends is a tricky proposition. How best to maintain availability while adding functionality to existing legacy systems (which may already be creaking at the seams) impacts many of their waking decisions. (Read our Welcome to Hospitality 2020+ white paper here).

In 2020, they’ll continue to seek solutions that help them surround and expand their existing assets using Open APIs and toolkits to integrate wherever they can. They’ll also be looking to free up data flows, connecting business functions in order to break down data silos (e.g. CRM, ERP, Web analytics) and deliver a 360 view of the customer to decision-makers and planners.

Optimizing resources and changing cultures

In too many cases, retail and hospitality IT agendas are hampered by a lack of key resources and business alignment – skills, people, budget, infrastructure.

The focus is often on fueling functional cost savings rather than driving business growth and sourcing innovation. Retail CTOs will need to get out of the back office and lead the innovation agenda if they want to secure the resources they need the dynamic new world of retail.

CTOs must focus their teams on innovating and differentiating the customer experience. Cloud solutions and integrated com

merce platforms will be a major enabler of retail transformation, allowing CTOs to more effectively leverage commodity technology and processes while dedicating valuable internal resources to driving deeper business and customer engagement.



Building better customer UX (without blowing the budget)

As everyone involved in innovation knows, it’s often the invisible assets that are hardest to deliver. There’s now more pressure than ever on CTOs to enable marketing and acquisition teams to attract and engage consumers – either through faster, responsive and more personalized online interactions, or by helping to create more exciting and inspiring experiences in store at the point of sale (POS). CTOs are being positioned to deliver bigger, better, faster, cheaper platforms – and with less liability too.

Protecting data and reputation

Fraud is the challenge that never goes away. The more channels, payment types, and services a retailer offers, the harder CTOs must work to ensure that payment and data chains are locked down.  Retail Fraud is running at 30%, with merchants now paying $3 for every dollar lost. Faced with chargebacks, fines, and loss of reputation, the heat is on for CTOs to keep their business, management teams and customers better protected.

It’s not just about implementing more fraud prevention solutions, CTOs must select the right combination and layering of core, identity and fraud transaction solutions to defend against increasingly sophisticated threats. To ease the burden, ever more CTOs will choose to outsource risk, investing in payments as a service (SaaS) platforms to shift liability onto their provider and remove their own infrastructure from scope.

Dealing with compliance and ‘the domino effect’

Managing data comes with a minefield of rules including those that can be state-based (e.g. California’s AB375 consumer privacy act), international (e.g. GDPR data protection regulations), payment-related (e.g. PCI DSS), or for anti-fraud (PSD2’s Secure Customer Authentication (SCA). Additionally, these legislations don’t include POS certifications and card issuer mandates that are required to avoid fees and chargebacks.

So much regulatory change creates a domino effect that triggers time and effort –  keeping legacy systems and processes up to date, continuous auditing, reporting, and training – has become a major burden for tech-heavy retailers. Finding new ways to reduce risk and ease the burden, through cloud-outsourcing, payment gateways, encryption, and tokenization is becoming a strategic imperative for CTOs. Even the smallest businesses are now investing in security and compliance specialists to help support them.

Of course, these challenges are just the tip of the iceberg for retail CTOs.  According to Gartner, in 2019, retailers’ investment in technology is expected to grow 3.6%, hitting $203.6 billion over the course of the year. In 2020, much of the focus for CTOs will be in bedding in new assets and systems and ensuring they deliver a positive return on investment (which will mean even more scrutiny by their boards).

With as much change in front as behind them, there’s a long road ahead, but with the right technology and payments partners, they can spread the effort and lighten the load.



Posted January 20, 2020 by FreedomPay

Top 5 Payment Security Trends in 2020

Fraud is on the rise. With deep pockets and creative minds, fraudsters and cybercriminals are becoming increasingly organized, sophisticated, and focused on the low hanging fruit that exists within the retail space.

The security playbook has widened, and now includes EMV, PCI DSS, and point-to-point encryption (P2PE), with new regulations such as PSD2’S SCA tightening up vulnerabilities. In addition, robust anti-fraud solutions are now part of most card acceptance POS and payment gateways.

As the data protection battle continues, there are some strong security patterns emerging:

• CNP payment fraud will continue to rise and fraudsters will get increasingly sophisticated

Squeezed out of the traditional payment chain, criminals are increasingly targeting remote Customer Not Present (CNP) transactions where shoppers’ data is especially vulnerable.
According to Juniper Research, online payment fraud will top $22 billion this year—and could reach $48 billion by 2023. Fraudulent attacks are becoming more sophisticated using tactics such as phishing, ID theft, pagejacking, wire scams, and merchant ID fraud. In 2020, watch out for ‘imposter bots’ that exploit the growth of AI-driven chatbots for online customer support to draw out payment details and other sensitive information from established retail websites.

• Tokenization will become more widespread as merchants seek to secure the payment chain while delivering more personalized and connected services (including IoT)

Tokenization replaces sensitive payment data with a randomly generated token that lets their transaction be tracked and their ‘footprint’ remembered making it ideal for CRM, loyalty and personalized promotions. The merchant does not touch, or store payment data and fraudsters can’t reverse the token to access account details. By 2020 it’s expected that there will be 20 billion IoT devices, a proportion of these will no doubt facilitate transactions too, creating a whole new window of opportunity for fraudsters. Tokens can be used across all channels and can even facilitate transactions between devices in IoT environments.



• New forms of authentication will emerge fueled by PSD2’s SCA requirement which comes into effect in 2019 (EU) and 2020 (UK)

Strong Customer Authentication (SCA) will soon become essential for retailers in order to ensure compliance with PSD2. Each transaction will require two different types of authentication taken from three criteria (something you own, something you know and something unique to you). With a physical card and a PIN, EMV already meets the criteria. However, for CNP and online transactions, it’s not so easy, with extra passwords and registrations increasing friction and possibly dropped sales at the checkout. To prevent this, merchants may turn to ‘customer-familiar’ smartphones and biometrics to ease the process. They will be supported by the likes of MasterCard, who are already championing biometric authentication.

• Anti-fraud solutions will deliver better security decisions with less friction for legitimate buyers

Advanced, risk-based decision-making for e-commerce will help to reduce CNP fraud using updated standards from EMV 3D-Secure. Examining 10 times more risk factors than before to help decide whether step-up authentication is required. In addition, companies that facilitate digital payments will likely layer 3D-Secure with other advanced analytics technologies like artificial intelligence, to help analyze for fraud. Across retail, self-learning neural models will be used to automatically spot patterns much more swiftly. They will also enable closer rules setting and customization – essential for peak periods such as Black Friday – to minimize false declines and reduce the incidence of chargebacks.

• Merchants will have to tighten up their processes – whether mandated or not

It’s not possible for technology alone to fully eliminate retail fraud, especially for online stores. Like all hi-tech environments, people, and processes are often the source of inadvertent breaches. Retailers will have to continually update network security systems including firewalls and antivirus software, train staff and maintain audits to keep their defences high and information safe. Expect to see more security specialists employed full-time, even within smaller merchant organizations.

• Security will become a core differentiator for selecting a payment service provider

Businesses will be more proactive in their cybersecurity strategies when it comes to protecting the consumer. As senior execs and boards are increasingly held accountable, security is moving beyond a simple compliance tick-box towards a real corporate imperative supported by organisational wide procedural frameworks. Reflecting on this, security will become a critical differentiator ahead of reliability and costs for merchants seeking payment partners and providers.

While there are a plethora of security add-ons and antifraud software available, merchants shouldn’t forget the basics. This includes maintaining awareness of the latest fraud regulation and ensuring systems (and those of providers) are verified and compliant with all the latest standards; specifying PCI point-to-point encryption (P2PE) and tokenization for all payment platforms.

With GDPR necessitating clear policies for storing and handling ‘all’ customer data and the reporting of data breaches, retailers must make sure the right processes and training are in place to support these too.

If in doubt, payment partners such as FreedomPay, are often first to spot new security trends and can provide practical support and guidance to help keep businesses and their customers safe.



Posted January 15, 2020 by FreedomPay

Giving Gen Z and Millennials More at the Point of Sale

Consumers in the U.S are growing increasingly frustrated at the slow progress that has been made in addressing the acceleration of technology at the point of sale. Whether it be unclear or inconsistent messaging (e.g., contactless), disjointed back-end systems, rapidly evolving and expanding payment options, or a continued lack of properly implemented payment security solutions – consumers do not appreciate, and will not remain loyal to, ‘the friction.’  A void quickly being filled by the Amazon(s) of the world, who can provide a complete end-to-end ecosystem of capabilities with a frictionless consumer experience, this poses an existential commercial problem for other businesses.

No matter the size of merchant, the challenge to serve the tech savvy consumer is becoming increasing complex.  Demand for more innovative user experiences, seamlessly integrated back-end systems, and easier and faster ways to pay for goods and services is a daily challenge, continually increasing the level of system disparity and fragmentation.  This means that the biggest issue facing merchants is how they upgrade and sync complex legacy payment tech systems to stay relevant and ahead of the competition.  In other words, businesses must futureproof their payment technology to enable growth.

FreedomPay is leading the debate on this new world of data driven customer-centric commerce and for the hundreds of companies who work with us, it’s about overcoming the payment data and digital infrastructure challenges. Those who’ve tackled this successfully know they will deliver growth in 2020 and beyond.

That said, thousands of businesses still need help with their payment options, legacy technology and internal data. This new research uncovers and quantifies the significant impact technology is having at the point of sale both for the merchant and the customer and the disparate behaviors when buying goods and services.

Our research has found that security remains a key concern when considering new technology payments and methods. And yet, there is no doubt that the adoption of new technology, if implemented correctly, will reduce risk and compliance issues.

The use of contactless and mobile wallets in North America will accelerate. Just look at what’s happening in other parts of the world such as Europe and so, we believe the time is now right for change. Businesses will thrive when they focus on the customer and deliver a truly holistic approach to payments.

Posted November 20, 2019 by FreedomPay

The Rapid & Changing World of Commerce Platforms as a Service

The world of commerce platforms now expands beyond transactional payments—information is king! Host Tyler Kern and Barry Stearn, director of partner success for Europe’s division of FreedomPay, discussed emerging payment trends, and how this fast-evolving landscape is becoming more complex.

“Payments has become really an information business,” said Stearn. “Yes, there is a transactional exchange, there is a packet of data that passes from the merchant through to the processor for authorization…but built in that consumer journey, look at all the elements that exist around that process.”

Stearn went on to explain how the back end-data engine can help businesses, e.g. the service industry, capitalize on the many customer interactions at those establishments.

“At FreedomPay, we have the ability not only to capture information at the point of sale around what that loyal customer is buying, we can also build out an analytical token of said consumer profile,” Stearn said.

This securely stored environment allows the client to better understand who their loyal customer is, and to properly market offers and promotions that make sense.

Posted October 31, 2019 by FreedomPay

Turn Your POS Into A Revenue Boosting Content Platform

More than two decades ago, Microsoft’s Bill Gates declared of the internet “content is king”. That statement still resonates today, even more so, with the prevalence of smart devices, social media and ‘anywhere’ connectivity.

For those who own, or can provide access to, a consumer-facing ‘content channel’, there’s now a massive opportunity to generate revenue from organizations looking to push content that persuades consumers to buy.

Whether you operate a retail outlet, stadium, hotel, theme park or even a university campus, chances are you already have a physical POS estate, with terminals that are packed with sales processing power, full color displays and even multi-media capability. You may not realize it but these integrated online and mobile checkouts, represent a rich new channel of opportunity and revenue.

Having spent your hard-earned profit building a great customer UX at the sales point, it makes sense to try to generate as much return on your investment as you can. That means finding new ways to drive extra revenue and, with FreedomPay’s DecisionPoint Network™ (DPN), it may be easier than you think.

Get your POS working harder

DPN lets you reimagine the role of the POS. Thinking beyond simple acceptance and transforming checkout as an end to end marketing platform. One that can enhance the customer experience with targeted advertising and special event notifications. DPN enables the POS to deliver persuasive branding and advertising in real-time at the exact moment customers are ready to buy.

With little effort, you can turn your sales point into a highly targeted digital advertising channel that generates revenue for you and your partners. It won’t impact your compliance or security as DPN is offered as a component of FreedomPay’s fully PCI Validated Point-to-Point Encryption (P2PE) solution, which facilitates secure and fast onsite payments.

You can leverage DPN to improve your own experience – with sample ad messaging, to launch emerging technology-accepted methods of payment, new products/merchandise offerings, live discounts/offers, and redeem reward points at payment check out. DPN also allows third-party advertisers to purchase space on your POS too.

Real-time ads and content at the POS

The POS provides a dedicated content network that spans many retailers, reaching hundreds of millions of consumers every day. Not when they are watching TV, browsing the internet or on the street (when they are distracted, and their concentration is low) but when they are 100% focused and in buying mode, right at the decision point.

Unlike other digital channels, advertising on the POS gives brands 100% share of voice and 100% viewability with ad-exposure times of 10-15 seconds, all in a brand safe environment with no risk of ad fraud and ad blocking.

DPN makes it easy for advertisers to target ads, exploiting your POS estate to effectively influence conversion/upsell opportunity. At the same time, it enhances your customer experience and provides you with a lucrative revenue stream. What’s not to love?

By delivering content at the checkout, it’s clear that you can deepen your customer relationships, drive loyalty and increase average order value (AOV) by communicating targeted discounts, and offers in real-time. It really is true, content is king, and thanks to DPN you can now use it to reap royal rewards!

Cedric Lourie, Director of Digital Development for FreedomPay, follows how digital media continues to develop creative methods of advertising and unpacks what is worrying marketers in today’s content-driven climate in this podcast.

Posted October 10, 2019 by FreedomPay

It’s Time To Tap Into EMV’s Benefits

As a consumer, it’s still surprising to go into a store, and be asked to ‘swipe’ rather than ‘dip or tap’. While in Europe EMV has been the norm for almost a decade, here in the US the reality is there is still a long way to go, even though the market has been transitioning from traditional mag-stripe cards to EMV since 2015.

Today, more than half of credit and debit cards worldwide are now EMV and nearly two-thirds of all card-present transactions involve EMV. Despite this, many mom-and-pop stores and home-grown retailers have yet to make the switch.

It appears that, even as adoption rates increase, there’s still resistance from some merchants to enable EMV acceptance. In many cases, they’re simply reluctant to replace their outdated mag-stripe infrastructure with point of sale devices that can read chip card data.

So why should retailers switch to EMV? 

While there are many reasons, the most obvious is because it is much more secure than traditional mag-stripe cards which have several vulnerabilities – cards can be stolen before they are signed, signatures can be erased and forged, and magnetic stripes can be cloned without the owners knowledge.

On the other hand, with its integrated chip (IC), EMV is very hard to copy or counterfeit.  EMV cards offer two types of authorization – signature or PIN containing up to six digits. When the card is PIN enabled, it’s even more secure and if the card is stolen, the thief needs the PIN to use it. In markets where EMV is established, payment card fraud rates have fallen significantly, by up to 76% according to Visa.

But if you are still unconvinced, there are other reasons, beyond security, why EMV is a great investment:

  • Reduced liability and fewer chargebacks
    EMV stands for Europay, MasterCard and Visa, the major card issuers who developed it to solve their collective card security issues. In many countries, including here in the US, these card issuers and their processors are now implementing liability shifts for non-EMV transactions – transferring the onus from the issuer to the merchant if a fraudulent transaction takes place. This means that if you don’t support EMV you are more likely than your EMV-accepting competitor to see your hard-earned profit get eaten up by fines, fees and chargebacks.
  • Convenient for consumers and staff.
    EMV offers faster, more convenient payments, including enabling contactless ‘tap and go’ payments. If you can accept contactless, you can transact faster than with cash, meaning shorter lines, less hassle than reconciling/banking dollars and less temptation of theft at the point of sale too.
  • EMV paves the way for e-loyalty and more
    Its ‘smart chip’ can hold more than payment data, creating opportunity for added value services and features such as supporting complex loyalty schemes. It can also be used to implement everything from mobile wallet applications to charity donations. Increasingly, EMV is also being used to support transportation, ticketing and secure site access.
  • Use EMV POS devices for more than cards
    With contactless enabled EMV readers, retailers can also accept NFC and mobile payments. With more people carrying smartphones than cash or cards – especially millennials and Gen Z – it means you’re much less likely to miss a sale, and more likely to see AOV increase.


Combined with smart acceptance devices, commerce-enriched payment gateways and POS service apps, there’s no question that EMV gives sales businesses lots to get excited about.


High value retailers more susceptible to fraud can minimize their risk, while low value, high volume outlets can speed throughput and convenience, and those where service drives repeat business can deliver a raft of new customer-facing loyalty services connected to the consumers EMV card.


So, if you are looking to gain greater security, reduce lines, and drive revenue, why wait?


Learn more about EMV benefits here.


Posted October 03, 2019 by FreedomPay

How A Seamless Customer Payment Experience Is The Key To Sales Success

Customers are becoming more demanding, and the retailers who keep up with the latest payments solutions, payments platform and point of sale (POS) systems will be the ones who are the most successful.

Think back just 10 years and no-one was using a smartphone to pay for goods and services. There were no wearable devices like Apple watches or mobile wallets that you could use for payment processing, and when you went to a concert or a coffee shop, you could not order and pay for refreshments in advance and avoid the crowds.

Jump forward a decade, and this is now the norm. Consumer-centric payment technology has advanced to a point where you can even use your face to authorize a payment. As technology continues to progress, the number of ways people want to pay increases, and retailers must keep up to compete.

Seamless customer payment experiences are the key

The importance of a seamless customer payment experience cannot be underestimated, and enticing your existing customers back is the key to sales success and customer retention. Assessing data which helps you understand customer behaviour can be strenuous but there are systems which allow you to undertake a deep, granular analysis of the way different customers interact with retailers; what they buy, how often and, importantly, how they pay for their purchases.

Using this data, you can create a unique loyalty offering, giving your best customers access to discounts, or exclusive events that will give them a great customer experience. Loyalty schemes come in all shapes and sizes, and using the latest technology provides not just a safe, secure and simple payment environment, but one that makes the customer/retailer interaction as beneficial as possible for both parties.

Future payment services could become even more integrated with the advent of open banking across Europe. The possibilities going forward could include the complete removal of transaction fees, direct settlement and even low-cost credit for customers at the checkout.

As a retailer, you want a system that is future-proof, so choose a payment provider that applies new technology to meet the latest data protection regulations, payment systems and the widest possible range of loyalty options.

Posted October 03, 2019 by FreedomPay

Don’t Take Risks! 5 Steps to Understanding PCI Compliance

No matter how big or small your organization, whether you sell products or services or both, if you process, store or transmit credit card or payment data then it’s important to be PCI DSS (Payment Card Industry Data Security Standard) compliant. If you don’t your business could be at risk from fraud, fines, and a wrecked reputation.

  • Risk from fraud
    Retail Fraud surged 30% last year with merchants now paying nearly $3 for every dollar lost. As more retailers invest in anti-fraud solutions, criminals are targeting retailers with vulnerabilities they can exploit with minimal effort. If you’re not PCI compliant you become easy pickings for them.
  • Risk from fines
    PCI compliance is not legally mandated, so there’s no criminal charges if you aren’t compliant. However, if you suffer a data breach while not in full compliance, you could be liable to a steep fine from the PCI Security Standards Council (PCI SSC), and possibly GDPR (in Europe), which holds you accountable for how you safeguard your customers’ data.
  • Risk from lost reputation
    While your business may find it easy to bounce back financially from any criminal losses or fines, the same is not true for your reputation. Once word gets out that your systems aren’t secure, it can impact even the most loyal customers.

PCI safeguards the payment chain

Being PCI compliant means that your business is either meeting the standards and best practices as outlined within PCI DSS or outsourcing to others who are. In particular, the PCI DSS is designed to protect your key transaction systems and processes including:

  • Card readers and point of sale (POS) systems (hardware and software)
  • Store-based networks and wireless access routers
  • Payment card data storage and transmission (e.g. payment gateways)
  • Payment card data stored in paper-based records
  • Online payment applications and shopping carts

The Standard specifies 12 requirements, which are organized into six control objectives relating to the storage, transmission and processing of cardholder data.

In effect this means that merchants are responsible for compliance wherever they come into contact with customers’ ‘sensitive’ data.  That means keeping well documented records and ensuring staff are trained and systems and processes are maintained to PCI standards.

Five Steps to PCI Compliance

No surprise that many sales organizations, already struggling to get to grips with data security, are   failing to meet their initial PCI compliance assessments.

So, what’s the best way to make PCI compliance plain sailing? Here are five key steps you can take to keep you on track:

  1. Understand your scope and PCI requirements
    Before you start, it’s important to establish where you currently stand in terms of the PCI criteria. The applicable requirements are different for different businesses (currently 9 categories). These are determined by transaction pathway and exposure to cardholder data. Identifying all the system and components that are located within, or connected to, your cardholder data environment, will give you a good indication of your ‘scope’.
  2. Consider how to aid compliance and reduce scope
    Payment strategy and solutions can have a huge impact on your PCI scope. For example, many online merchants outsource all their data to third-party service providers. As they never touch or view customer credit cards or raw payment data, their scope is significantly reduced, leaving minimal criteria for them to follow. The risk is carried by their partner, who will be responsible for all applicable PCI requirements. Where you are responsible for customer payment data in card present scenarios, you can minimize scope using PCI point to point encryption (P2PE) in conjunction with tokenization to reduce handling of sensitive data.
  3. Follow the PCI assessment process and use the guides to stay on track
    Completing a PCI self-assessment questionnaire (SAQ) will help you assess your current compliance level. There are different versions of this depending on your type of business (see point 1). The relevant guidebook will take you through the process of identifying your current practice and what you have to do to bring your payment security into line with PCI. There are lots of merchant resources to help on the PCI Security Standards Council website.
  4. Ensure your systems make the grade – and change them if they don’t
    Any gaps flagged in step 3 should be rectified. Fixes may be easy (e.g. tweaking an audit process) or more complex (e.g. changing outdated devices, non-compliant payment platforms and even your payment service provider). You can use the SAQ to re-assess your improvements and make sure you’re ready to procced to the next stage.
  5. Complete your AOC and inform relevant parties
    Once you’re happy with your SAQ, you can complete a formal attestation of compliance (AOC). This claims your business is fully compliant with all relevant PCI standards (according to your business category). If required, now is the time to have a QSA (qualified security assessor) audit and report on your compliance to validate your own findings. Once approved, you must notify relevant credit card companies and/or banks who may request an additional external vulnerability scan to finalize the process.

The key message is “Don’t leave PCI to chance”.  If you’re not certain, it makes sense to get help finding out rather than ignoring the issues and letting your security lag.  Most solution providers will be happy to talk through any sticking points. Or you can contact the PCI SSC for a list of approved experts to guide you along the way.

And remember, the PCI DSS is not a tick in the box standard. It is an on-going process and checks need to be carried out regularly, which may include an annual audit, to ensure you remain compliant and your customers protected.