PCI-DSS compliance and loyalty programs aren’t usually mentioned in the same breath.
But with 90% of retailers thinking about launching premium loyalty programs, where your customers pay for membership, understanding how PCI-DSS compliance impacts your loyalty program has become critical.
After reading this article, you’ll have a solid understanding of what PCI-DSS compliance is, why it’s critical if you’re thinking about launching a premium loyalty program, and what’s involved in obtaining compliance for your brand.
What is PCI-DSS Compliance?
PCI-DSS, which stands for Payment Card Industry Data Security Standard, is a set of requirements intended to ensure all companies that process, store, or transmit credit card information maintain a secure environment. It keeps your customers’ credit card data safe and protected.
It provides the framework for developing a complete payment card data security process that covers prevention, detection, and appropriate reaction to security incidents. Merchants and service providers complying with this standard attest to meeting the requirements of this framework.
Higher volume merchants and service providers and a few that want to clearly demonstrate their commitment to security, like Clarus, go one step further, and have their compliance evaluated by an independent third party before making that attestation. This is the equivalent of taking an annual 251-question exam on the subject, as opposed to a “yeah, I know it,” statement. Clarus has consistently demonstrated its ability to pass this exam.
The Payment Card Industry Standards and Security Council created a global Data Security Standard (PCI-DSS) to ensure that as credit cards are used, cardholder information and the data needed to make a payment is protected.
There are six goals of PCI-DSS:
(1) Build and Maintain a Secure Network
(2) Protect Cardholder Data
(3) Maintain a Vulnerability Management Program
(4) Implement Strong Access Control Measures
(5) Regularly Monitor and Test Networks
(6) Maintain an Information Security Policy
It looks at policy, technical controls, and processes so vendors and merchants can create an environment where credit card transactions can be done securely.
The PCI-DSS reviews how merchants and vendors act, not only what security tools they may have in their toolbox.
Why PCI-DSS Compliance is Critical When Launching Your Premium Loyalty Program
Consider that only 30% of businesses achieved PCI compliance in 2020.
Retailers with premium loyalty programs accept credit card payments from members and aim to guarantee data security. They also may store these numbers (or more secure tokens) for programs that are billed regularly.
There are several potential outcomes for vendors and retailers that fail to comply with PCI-DSS:
- A missed opportunity as a purchase fails, and the potential member leaves your site— perhaps never to return
- Loss of the privilege to accept credit card payments
- Fines
- Monthly fees
- Additional fee(s) tacked on to each payment transaction
- Reputation damage (loss of consumer confidence)
Most businesses are aware of the reputation damage that may come with a breach of credit card data. And beyond that, tangible financial impacts like penalties, per-transaction fees, and fines.
Therefore, ensuring PCI compliance is critical for retailers with premium loyalty programs, or ones that plan to launch them.
One of the keys to earning customer loyalty is trust. Compliance with PCI-DSS means that your systems are secure, and your customers can trust you with their sensitive payment card information.
When your customers want to join your premium loyalty program, you want them to have the assurance that their payment information will be safe and secure. PCI compliance provides that assurance.
What’s Involved in Obtaining PCI-DSS Compliance for Your Loyalty Program?
Most low-to-moderate-volume merchants and vendors must complete a PCI-DSS Self-Assessment Questionnaire (SAQ) to demonstrate they have done an internal assessment of their compliance with PCI-DSS. This approach relies primarily on trust.
By contrast, high-volume merchants and vendors are generally required to have a certified, independent auditor, called a “QSA,” assess their level of compliance with PCI-DSS. This approach, in contrast, relies on both trust and verification.
PCI-DSS is not a panacea or a magic pill — no, PCI-DSS is about risk management.
Clarus understands this and has taken the time to understand and apply the standard as part of its broader information security strategy.
PCI-DSS is one part of a more comprehensive security puzzle.
At Clarus, other pieces of that puzzle include training, additional network security, our software development process, and a proactive approach to identifying technology risk.
A few years back Clarus stepped forward, opting to undergo a full PCI-DSS audit before it was required. Why?
Clarus wants its retail partners to know they are partnering with a vendor that understands the importance of credit card security and genuine accountability for that security.
And for the second year in a row, the QSA has confirmed Clarus’ commitment to data security in its Report on Compliance (ROC).
Clarus has also gone through the process of registering as a Third-Party Agent (TPA) within Visa’s network to make it easier for our customers to work with us.
Visa at times requires companies to work exclusively with TPAs; Clarus is positioned to work with retailers on Day 1.
Remove Any PCI-Compliance Concerns for Your Premium Loyalty Members (and Your Brand)
Have you demonstrated your commitment to data security?
Are your service providers a secure part of your process for accepting credit card payments?
Have your service providers demonstrated a commitment to data security?
Premium loyalty is growing, and with the right partner, your brand can leverage this growth while minimizing the risk associated with PCI-DSS compliance.
Loyalty vendors need to protect consumer data and their clients’ data.
Clarus does not want your customers to have an interrupted experience, especially when they are close to signing up. With experienced engineers and an eye on security, we provide our retail partners with a worry-free PCI-DSS compliance experience.
Are your partners ready for card network requirements? You will find Clarus is ready, and listed:
- Visa Global Registry of Service Providers – Search Results
- The Mastercard SDP Compliant Registered Service Provider List
If you’d like to chat more about PCI-DSS Compliance, or customer loyalty strategy in general, contact us here.
Marcus Aden
As Senior Compliance and Regulatory Specialist, Marcus works closely with teams across Clarus to help maintain awareness about consumer privacy and data security. He helps ensure that the great work Clarus is doing to protect consumer data is documented. He is a compliance, consumer privacy, and information security professional with more than a decade of experience spanning higher education, healthcare, financial services, and e-commerce.
