We’re sure you’ve at least had some experience with the term, PCI Compliance . It’s usually something referred to by your merchant processor.
PCI DSS stands for Payment Card Industry Data Security Standard . There are different levels and stages of PCI compliance for merchants and for providers involved in the payment processing chain of events.
As a software provider, our processing volume for client transactions has multiplied. In January, we began moving towards our next level of PCI security standards. This means card data will no longer simply be encrypted. It will now become tokenized. This is an even higher level of protection for your end customer.
Some clients have asked what changes they need to make. The great news is that none of your processes change. Everything will appear the same, and the token will surface the last 4 digits of the card number for verification purposes just as it was when data was encrypted.
It is a considerable cost in resources to make this transition and it makes sense to put this is place for you and your customers.
While we are not yet required to move towards this level, it’s the best way to be ready for the future. Additional levels that will be enhanced are already in the works for our next steps of security standards.
UPDATE December 29, 2018:
What about payment data?
In January 2019, we begin transitioning to a higher level of PCI compliance standards. PCI DSS stands for Payment Card Industry Data Security Standards is responsible for regulating protection policy and standards of any business processing card payments. While we have always had PCI Compliance, we are increasing our level of stringency ahead of possible requirements so we are fully prepared when the next stage is met. PCI levels are dependent on transaction volume and revenues.
This next step includes a variety of policy updates, in addition to moving from high level encryption to tokenization. (effective February 1st, 2019. As of February 1st, 2019, the token is reversible and a $450 fee is assessed for processing the request on behalf of the client. In future PCI compliance stages, tokens will be unrecoverable to ensure card holders data can not be breached, reverse engineered, or misused in anyway.
Beginning in May 2019, the tokenization will move to the highest level of protection ensuring even more stringent protection, making a card number unrecoverable by any technology or person.
Until May 2019, we will be able to pass along the fee to those that find themselves requiring the token reversal process so it’s not applicable to all business use cases. While we understand the impression that customer data feels like it’s owned by the business. However, PCI standards are implicit that the information is the card holder’s and theirs alone and that we are bound to enforce PCI standards by being part of the payment processing chain of events.