One of the things I am asked about most often is PCI Compliance and to most small business owners it is a confusing area for them!
Here are a few things that I hope will clear it up!
What is PCI DSS or PCI compliance exactly?
PCI DSS is officially the Payment Card Industry’s Data Security Standard.
It is a set of requirements for enhancing payment account data security by creating a strong, systematic way for merchants to secure cardholder data. It was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., to help facilitate the broad adoption of consistent data security measures on a global basis. This multifaceted security standard includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures to help organizations proactively protect customer account data.
Why does an ecommerce business need PCI compliance?
Since ecommerce companies mainly perform electronic transactions only credit card numbers are especially vulnerable to theft by cyber criminals.
If the credit card numbers are not encrypted or tokenized (a data security model whereby surrogate values or “tokens” are substituted for actual credit card numbers), they can be remotely “sniffed out” out as it is called in the industry.
“Sniffing” programs in short is a way that a hacker can analyze data that is not encrypted allowing the hacker to then steal the numbers .
Does every ecommerce website have to be PCI compliant?
The short answer is YES! If you process credit cards online you must comply with PCI DSS.
The compliance requirements may differ for various companies based on the amount of transactions they process.
So how do I know what my compliance standards are for my store?
Their are four classifications or Levels for business – and for Visa here are their requirements:
Level 1 merchants process over 6 million Visa transactions annually (all channels).
Level 2 merchants process 1 million to 6 million Visa transactions annually (all channels).
Level 3 merchants process 20,000 to 1 million Visa ecommerce transactions annually.
Level 4 merchants process less than 20,000 Visa ecommerce transactions annually. In addition, all other merchants processing up to 1 million Visa transactions annually are classified as Level 4 merchants.
So what do I need to do to be in compliance?
Well, this is where it gets tricky because each credit card has their own compliance requirements. You can see what Visa requires below, but MC, AMEX, Discover may have different requirements.
1) Level 1 merchants must complete an Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA); complete a quarterly network scan by an Approved Scan Vendor (ASV); and file an Attestation of Compliance Form.
2) Level 2 and Level 3 merchants must complete an Annual Self-Assessment Questionnaire (SAQ), complete a quarterly network scan by an ASV and file an Attestation of Compliance Form.
3) Level 4 merchants are encouraged to complete an annual SAQ and have an ASV perform a quarterly network scan, if applicable. Compliance validation requirements are set by the acquirer.
Visa will also escalate a merchant to a higher validation level if they have shown to have a breach that resulted in any kind of account data compromise.
The PCI Security Standards Council maintains links to each of the six credit card companies’ — American Express, Discover Financial Services, JCB International, MasterCard Worldwide, Visa Inc. and Visa Europe — requirements on its website.
What if I decide not to be compliant?
Well, we would hope if you are running an ecommerce website you would care about the safety and security of your customer data and want to make sure your site is compliant.
But if you decide not to comply with PCI DSS you can be charged some stiff penalties put forth by the credit card companies which can be fines or even termination of your ability to accept credit cards for your business. And if you do have a breach and credit card information is stolen from your site while you are not compliant you have no protection.
I have SSL installed, isn’t that the same thing?
No. SSL certificates do not offer protection against malicious attacks. SSL certificates are a first tier level of security so to speak as it verifies that the website operators are legitimate and that there is a secure connection between the browser and web server.
So what can I do to make my site PCI Compliant?
If you host with 2 Dogs Design, we use Liquid Web for our server and we offer PCI Compliant Hosting with Liquid Web. A scan is run as required by your merchant to keep your website PCI compliant. When we initially move a site to PCI compliant hosting they will run several tests and scans to determine if there are any PCI leaks – and then we work with the host to fix them.
If you do not host with us, then we highly recommend finding a hosting company that IS PCI compliant to ensure the safety of your site.
For more information visit the PCI Security Standards Council