PCI DSS Compliance for Ecommerce: Myths and Reality
By Vu Online On June 12, 2012 - Web Design
Merchants of all sizes that handle credit or debit card data, even just briefly, are required by the banks and card companies (aka the Payment Card Industry) to comply with a set of Data Security Standards. This seems like a good thing for consumers, but what does it mean for your business and what happens if you don’t comply? This white paper addresses these issues and outlines an action plan for your business to get compliant.
PCI DSS: What’s all the fuss about
Myth: The government isn’t involved with PCI DSS so it’s not important.
Simply put, there is just no way for national governments to oversee a global industry. Payment card companies are multinational and have banded together to protect their customers – and their own interests – by forming their own security standards.
Thus, PCI DSS stands for Payment Card Industry Data Security Standard.
The trouble is that many merchants are unaware of the data security standards and their need for compliance with them. The first that many hear of PCI DSS is when their merchant bank asks for an Attestation of Compliance.
Even worse for the small business-owner is that each card company has different requirements for compliance (though they are similar) and you will need to check with each one individually to determine what you need to do be reach compliance.
Sadly, most merchant banks are unlikely to be helpful here if you run into trouble or are confused about what you need to do.
What if I use a third-party processor such as SagePay?
This is where the fuss really begins.
Technically, even if you use a third-party processor, you must be PCI DSS compliant. Using a third-party may cut down on your own the efforts you need to make to ensure your compliance.
Using a third-party processor makes things slightly easier in terms of your requirements for security in data storage, but you simply can’t ignore the data security standards just because you use SagePay.
How the compliance system works
Myth: PCI DSS isn’t enforced.
Each payment card brand enforces their own compliance programmes. Under the requirements of the DSS, all companies that process, store or transmit card (credit or debit) information are required to maintain a secure environment.
Basically, if you have a merchant ID, you need to be compliant. However, the level of compliance can be different depending on the number of card transactions you process in a year, regardless of how the card data is taken (e.g. over the phone, online, mail order).
Visa merchants are categorised into 4 levels:
- Level 1: Merchants processing over 6M Visa transactions per year or any merchant that Visa deems a Level 1 merchant in order to minimise risk.
- Level 2: Merchants processing between 1–6 million Visa transactions per year.
- Level 3: Ecommerce merchants processing between 20,000 and 1 million Visa online transactions per year.
- Level 4: Ecommerce merchants processing fewer than 20,000 Visa online transactions per year and other merchants processing (across all payment channels) up to 1 million Visa transactions per year.
Unless you’re an ecommerce business processing over 20,000 Visa card transactions per year, you’ll be a level 4 merchant and you will handle your own assessment and compliance (called independent assessment). If you also handle MasterCard, you’ll need to contact them as well to find out about their compliance requirements.
Self-assessment questionnaires (SAQs)
If you qualify as a self-assessment merchant, you will need to fill out the appropriate self-assessment questionnaire (SAQ). Which questionnaire you need is based on how you handle card payments. The full self-assessment process and an excellent guide can be found on the PCI Standards Council website. There are exclusions allowed and guidance within the documentation to help you decide what sections you need to answer.
Scans, Compliance and Who Needs What
Your systems and website will need to be scanned quarterly for vulnerabilities and risks. Each card company has different requirements and you’ll need to check whether you can do the security scans yourself or through an approved vendor.
You will need to send the SAQ, evidence of a scan ‘pass’ (if required) and your Attestation of Compliance (part of the SAQ), and any other documentation the card company requires to your acquiring bank (merchant bank).
Which businesses are affected?
Myth: I’m too small. Only the big retailers need PCI DSS.
Basically, anyone with a merchant number or who builds ecommerce software needs to comply with PCI DSS.
The payment card companies have collectively adopted these standards as a requirement for any organisation that processes, stores or transmits payment cardholder data, regardless of size of the organisation.
Fines Versus Annual Compliance Charges
Myth: These things are just for show, I’m better off avoiding the cost of compliance and paying a fine.
Card fraud is a serious issue for everyone, and it costs the payment card companies millions of dollars per year. Therefore, the industry is very serious about tackling it.
The fines levied are really at the discretion of the payment card brands and they are directed at the acquiring bank (i.e. your merchant bank). If you would like to know specifically what fines you could incur, you will need to find out directly from the card brands you accept.
Generally, fines range from USD $5,000 to $100,000 per month. Most likely the bank will pass these fines on to you as the merchant. Not only does this affect your profits, this could also result in increased charges from your bank and even in suspension of your merchant account.
Not to mention that incidents of card fraud are an insurance nightmare, rife for law suits and a hot topic in the media. Reports of your business losing sensitive customer data could spell the end of your business.
Check the terms of your merchant agreement to see what your responsibilities and resulting penalties are.
The cost for PCI DSS compliance will vary as it depends on the level of card transactions you process each year. Annual compliance costs for a typical Level 4 merchant would include quarterly scanning of your network by an approved company (if required). Then there is the time it takes to complete the self-assessment questionnaire and documentation to the bank.
Though many suggest that PCI DSS is yet another way for the payment card industry to squeeze honest merchants, these standards and the resulting fines for non-compliance are really the best (and safest) way forward in an unregulated industry.
Simply put, it is not worth the risk to ignore the DSS.
Is there any alternative?
Using PayPal as your payment processor appears to be one alternative. By using PayPal, you will not need a merchant ID and therefore, you won’t need to be PCI DSS compliant.
PayPal has its own set of pros and cons and any ecommerce merchant considering it as payment processor needs to assess whether this is the right route to go down.
What to do: Your PCI DSS certification action plan
Let’s just assume you have a merchant ID and you need to be PCI DSS compliant. What should you do?
Here is our 5-point plan for certification. This is an ongoing process, and annual assessment is necessary to continue to ensure you are in compliance.
- Audit – you should begin by identifying any cardholder data your company possesses (or plans to possess). Make a complete inventory of your business IT infrastructure and your business processes for payment card processing (don’t forget all the ways you take card payments: online, over the phone or through the post).
- Analyse – after auditing what data you possess, you need to decide whether you truly need it. The rule here should be if you don’t need it, don’t store it. You’ll want to analyse your IT, business policies and security for any vulnerabilities that could put cardholder data at risk of exposure.
- Amend – fix any issues you identify in step 2; the best time to do this is before your self-assessment, so plan ahead.
- Assess – when you have fixed any vulnerabilities, it’s time to do your self-assessment and have your systems scanned (or do it yourself if you qualify). Send in the documentation as required by the card payment brands you accept.
- Annual-ify – put dates into your diary for quarterly scans and annual self-assessment questionnaire times. This way you’ll stay in compliance and be working to prevent unwanted or accidental loss of your customers’ sensitive card information.
For more information on PCI DSS, we have pulled together some handy websites below:
- PCI Security Standards Council – www.pcisecuritystandards.org
- PCI for Small Merchants – www.pcisecuritystandards.org/smb/
- American Express: www.americanexpress.com/datasecurity
- MasterCard Worldwide: www.mastercard.com/sdp
- Visa Europe: www.visaeurope.com/ais
- Merchant Levels by Card Company www.pciassessment.org/merchants.php
- Excellent FAQ on PCI DSS Compliance www.pcicomplianceguide.org/pcifaqs.php
As specialists in online business, we are always happy to discuss your business plans and ecommerce situation to help you become compliant with PCI DSS.
- SEOmoz, Social Annotations in Search: Now Your Social Network = Rankings, http://www.seomoz.org/blog/social-annotations-in-search-now-your-social-network-rankings, Accessed 07.04.2012
- Searchengineland, Bing Ups Ante in Social Search, http://searchengineland.com/bing-ups-ante-in-social-search-re-ranking-serps-with-likes-77269, Accessed 07.04.2012