CBD, Payment Processing, and PCI Compliance
Online vendors of CBD oil are accustomed to being classified as high-risk businesses. So, you’ll be happy to know that, when it comes to PCI DSS compliance, your small to medium-size ecommerce site is almost certainly considered “low risk.”
PCI DSS defines risk based on how many transactions a company processes. Which means that that all of the service providers that you work with – your payment processor, payment gateway, bank, ecommerce platform – are likely considered to be high risk. High-risk – which is “tier 1” on the PCI DSS compliance scale – translates to handling 1 million or more payment card transactions a year.
That said, anyone whose business involves payment cards (credit, debit and/or prepaid cards) is responsible for complying in some fashion – even if it’s only doing your due diligence when selecting service providers – with PCI DSS. Read on to find out what you need to do.
What Is PCI DSS?
PCI DSS stands for “Payment Card Industry Data Security Standard.” Typically, people just refer to the standard as PCI.
The standard itself is a set of 12 minimum best technical and operational practices for securing payment card data when it is captured, in transit, and at rest. This covers the entire sale cycle – you capture the data when a consumer provides his or her payment card information, that info then travels through various links in the payment services chain, and ultimately is stored “at rest” in a database or databases.
PCI DSS compliance is intended to help businesses prevent, identify and defend against security threats involving the use of data associated with payment cards. The PCI DSS was established and is updated as needed by the PCI Security Standards Council, which was founded in 2006 by American Express, Discover, JCB International, MasterCard and Visa Inc. The current version of the PCI DSS is v 3.2.
Do I need to comply with PCI?
Yes, any merchant that accepts payment cards needs to be in compliance with PCI DSS. If you don’t comply, you may be subject to fines and penalties – worst case scenario you can lose your ability to accept payment cards.
However, the compliance requirements vary according to the type and size of your business. A company that handles a lot of transactions, such as a Payment Processor, is required to comply with a much stricter standard. A merchant with a small, online store that processes less than a few thousand transactions a month has more basic responsibilities.
PCI DSS has four tiers of compliance. The amount of transactions a business processes typically determines the standards they need to comply with – the more transactions, the more you need to do to secure data. Here’s how Visa breaks it down:
- Tier 1 processes over 6 million Visa transactions per year. But payment card providers may decide that any specific business, due to its perceived risks or after experiencing a data breach, falls under Level 1.
- Tier 2 processes 1 million to 6 million Visa transactions per year.
- Tier 3 processes 20,000 to 1 million Visa e-commerce transactions per year.
- Tier 4 processes less than 20,000 Visa e-commerce transactions per year.
PCI DSS and CBD Merchants
In general, a small business selling CBD products will work with third-parties such as payment processors like T1 Payments, ecommerce web platforms and other service/solution providers to accept payment cards. While you cannot absolve yourself of all responsibility for PCI Compliance when working with third parties, your primary duty is due diligence. In other words, you need to find out what level of PCI DSS your partners must comply with and determine, to the best of your ability, whether your partners are actually in compliance with PCI DSS.
Service providers can opt to have an annual onsite assessment conducted by qualified auditor, or may conduct an annual Self-Assessment. Choosing one method over another is not particularly indicative of the provider’s compliance. So how do you validate whether your partner really is compliant with PCI DSS?
Google to see if they have experienced any security breaches. If so, find out when it happened, why, and how the problem was remediated. If a provider has experienced multiple breaches, you might want to consider other options.
Talk to the sales rep or customer care person about PCI DSS compliance. Some providers may tell you that they go beyond compliance with PCI DSS and that’s a good thing to hear as PCI DSS is meant only to address a standard set of security protections.
Your best judgement is a good indicator of a provider’s compliance. Ask yourself these questions: Is the company well-established? Does it have solid relationships in the financial industry? Does its customer support and/or sales department respond easily and knowledgably to questions about PCI DSS or is there a very long pause? Do they seem to be irritated that you asked about compliance? Is PCI DSS compliance mentioned on the company’s website?
Bottom line: PCI DSS is part of your job description when you’re running an ecommerce business site. As a small business owner with partners handling payment card processing your business’ risk exposure is probably minimal, but you need to choose the right partners. Keep records of the questions you ask potential partners, and their answers to prove you did your due diligence. Chose established providers, and remember that the least expensive option may end up costing you the most in the long run.
T1 Payments specializes in meeting the needs of high-risk merchants, providing a full suite of Payment Processing, including advanced fraud scrubbing and other risk management tools, and Payment Gateway services that integrate with over 175 different shopping carts. T1 also provides flat fee merchant accounts, complies fully with PCI DSS (Level 1), and offers comprehensive account monitoring, reporting and support to help high-risk merchants avoid chargebacks, fraud and other business risks. To find out more about our customizable global payment solutions for high-risk merchants please visit t1payments.com or call 866-518-2216.