What we will cover
Yes, PCI compliance does apply to you…
…That is unless your business completely avoids debit or credit card data (i.e. you only take cash, cheques, bank transfers or direct PayPal payments).
Otherwise, even if you use PayPal, Stripe, SagePay or another payment processor to handle card payments, you are subject to PCI compliance.
From PCI DSS to SAQs: decoding the jargon
Unfortunately, there is no getting away from payment industry jargon if you are going to get your head around PCI compliance.
First, it might be helpful to understand what PCI DSS is, how it came about and what happens when things go wrong, such as a data breach.
The PCI DSS stands for the Payment Card Industry Data Security Standard. It is overseen by the PCI Security Standards Council (PCI SSC), an independent body set up in 2006 by the five major credit card companies: Visa, MasterCard, AMEX, JCB and Discovery. Its purpose was to improve security around payment card data.
While the PCI DSS is not a law, any organisation that accepts, stores, processes or transmits data from credit, debit or pre-paid cards from these five brands must agree to be compliant. Security covers everything from the account holder’s name to the magnetic data held on the strip.
If a data breach should occur, the card brand will approach the payment accepting bank and determine whether a fine is applicable for non-compliance with PCI DSS. Fines can range from a few thousand pounds to over a hundred thousand pounds. Since the payment accepting bank is responsible for ensuring PCI DSS compliance down the chain, they will then pass on the fines to the payment gateway providers or merchant stores as appropriate.
Now, here is where your business comes in because your choice of set-up will determine how exposed you are to these risks. In short, the more of the payment process you outsource to a third party, the easier it is to avoid non-compliance and fines.
Regardless of your payment set up, if your SME takes payment from customers via their debit, credit or pre-paid card, you will have to fill out a self-assessment questionnaire (SAQ).
The easiest way to get hold of a form is to download it from the PCI SSC Documents Library. But which form do you need? That depends on your set-up.
So, which form do you need?
Most small and medium-sized businesses will fit into one of three boxes. They will either:
- take card payments online and wholly outsource processing to a payment processor (PayPal, Stripe, SagePay, etc.). This would correspond to form SAQ A
- take card payments online and partially outsource processing. This would correspond to form SAQ A-EP
- take card payments via a point of sale terminal. This would correspond to form SAQ C
There can be some confusion between wholly and partially outsourced payment processing because most online payment processors offer various set-ups and these can look and feel very similar from the customer’s perspective. The difference lies mainly in where the payment data is being stored.
For example, your customers might enter their card details on a page hosted on your website or be sent to a page hosted by the third party payment provider. They might even enter their details on a third party page that has been designed (e.g. using i-frames) to look as if they are still on your website.
When choosing a payment processor – a subject we will cover in a separate article – the specific way in which data is stored and processed should be a key factor in deciding which you use.
There is more specific detail about which types of set up relate to which forms at https://www.pcicomplianceguide.org/faq/
Unless you are filling in SAQ A, you will also have to perform a quarterly vulnerability check using an approved scanning vendor (ASV). They will use an automated tool to perform a non-intrusive scan of your payment systems to check for vulnerabilities.
The SAQ (which includes your Attestation of Compliance) must be sent, along with your scan results, to your payment processor or merchant bank.
If you are new to the world of e-commerce website, Vu Online can make sure you do things properly from the get go.
Do you know anyone who may be interested in this project?
Click to share: