What we will cover
If you run an e-commerce site, you will probably have come across PCI DSS. If not, you will need to get acquainted with how it applies to your business.
Basically, if you take card payments from your clients, regardless of whether you actually store their card details (or ever set eyes on a payment card), you are required to be PCI DSS compliant, but what is pci compliance here in the UK?
PCI DSS stands for Payment Card Industry Data Security Standard and it came about when the big card brands (AMEX, MasterCard. Visa, etc.) brought their individual security programs together over a decade ago.
At the time of writing, the current version of PCI DSS is 3.2
What type of payment method does your site use?
Your auditing and reporting responsibilities depend upon the type of payment service you provide. You won’t be able to escape the headache of getting PCI DSS compliant but choosing an option near the top of the list will at least save you from the migraine of maximum compliance.
- Offsite payment. This is where your payment gateway provider (Authorize.net, PayPal, SagePay, etc.) provides the payment form on their server. You simply pass the customer through to their site and receive them back after the payment has been checked and processed.
- Offsite payment via iFrame. This is essentially the same as offsite payment but the offsite payment form is viewed through a frame. Customers feel as if everything has happened on your site but your compliance requirements are still relatively light.
- Onsite payment. In this set-up, you host the payment form on your web-host’s servers. After your customer has entered their details, they are forwarded to the payment gateway provider for checking and processing. The customer gets a professional onsite experience but you are entering serious headache territory when it comes to compliance. For a start, your hosting provider will also need to be PCI DSS compliant to the appropriate level.
- Onsite payment with card storage. You masochist, you. Not only are you willing to be responsible for securing your customers’ payment data en route, you want to store their details for future use too.
Payment gateways have their own terminology for offsite and onsite payment solutions. For example:
Authorize.net use SIM (Server Integration Method) for offsite payments and AIM (Advanced Integration Method) for onsite payments.
PayPal use Web Payments Standard (offsite) and Web Payments Pro (onsite)
SagePay use Hosted (offsite); Hosted InFrame (offsite via iFrame) and Self-Hosted (onsite).
The benefit of the offsite iframe approach is great for compliance responsibilities but can immediately negatively impact conversion through a rubbish user experience.
Our years of building e-commerce websites tells us that our partner Stripe does the best job of the user experience whilst keeping compliance to a minimum.
Yes, PCI compliance does apply to you…
…That is unless your business completely avoids debit or credit card data (i.e. you only take cash, cheques, bank transfers or direct PayPal payments).
Otherwise, even if you use PayPal, Stripe, SagePay or another payment processor to handle card payments, you are subject to PCI compliance.
Understanding levels of PCI DSS compliance
In addition to the type of payment processing you do, your compliance requirements will be related to the number of transactions you carry out per year. Most e-commerce store owners will need Level 4 compliance only, but here is the full list:
- Level 1. 6 million or more transactions per year
- Level 2. 1 to 6 million transactions per year
- Level 3. 20,000 to 1 million transactions per year
- Level 4. Fewer than 20,000 transactions per year
Of course, it would be nice and easy if all the card companies agreed on and used these levels but they each run their own parallel system too. Fortunately it makes little practical difference to what you have to do.
PCI Compliance UK: The nuts and bolts
PCI DSS sets out 12 requirements split into six ‘control objectives.’ The control objectives are, as follows:
Build and maintain a secure network and systems. Your requirements are to install and maintain a firewall to protect cardholder data (CHD) and to avoid using vendor-supplied passwords and security parameters.
Protect cardholder data. Here you need to protect stored data and encrypt data you are transmitting across public networks,
Maintain a vulnerability management program. You should protect your systems with appropriate anti-malware software and apply regular updates. You need to develop and maintain secure systems and applications.
Implement strong access control measures. This covers identification and authentication when accessing all components of your system and restricting both physical and virtual access to CHD.
Regularly monitor and test networks. You will need to monitor all access to resources and CHD. You will also need to test systems and processes on a regular basis.
Maintain an information security policy. This should cover all personnel who come into contact with CHD.
From PCI DSS to SAQs: decoding the jargon
Unfortunately, there is no getting away from payment industry jargon if you are going to get your head around PCI compliance.
First, it might be helpful to understand what PCI DSS is, how it came about and what happens when things go wrong, such as a data breach.
The PCI DSS stands for the Payment Card Industry Data Security Standard. It is overseen by the PCI Security Standards Council (PCI SSC), an independent body set up in 2006 by the five major credit card companies: Visa, MasterCard, AMEX, JCB and Discovery. Its purpose was to improve security around payment card data.
While the PCI DSS is not a law, any organisation that accepts, stores, processes or transmits data from credit, debit or pre-paid cards from these five brands must agree to be compliant. Security covers everything from the account holder’s name to the magnetic data held on the strip.
If a data breach should occur, the card brand will approach the payment accepting bank and determine whether a fine is applicable for non-compliance with PCI DSS. Fines can range from a few thousand pounds to over a hundred thousand pounds. Since the payment accepting bank is responsible for ensuring PCI DSS compliance down the chain, they will then pass on the fines to the payment gateway providers or merchant stores as appropriate.
Now, here is where your business comes in because your choice of set-up will determine how exposed you are to these risks. In short, the more of the payment process you outsource to a third party, the easier it is to avoid non-compliance and fines.
Regardless of your payment set up, if your SME takes payment from customers via their debit, credit or pre-paid card, you will have to fill out a self-assessment questionnaire (SAQ).
The easiest way to get hold of a form is to download it from the PCI SSC Documents Library. But which form do you need? That depends on your set-up.
So, which form do you need?
Most small and medium-sized businesses will fit into one of three boxes. They will either:
- take card payments online and wholly outsource processing to a payment processor (PayPal, Stripe, SagePay, etc.). This would correspond to form SAQ A
- take card payments online and partially outsource processing. This would correspond to form SAQ A-EP
- take card payments via a point of sale terminal. This would correspond to form SAQ C
There can be some confusion between wholly and partially outsourced payment processing because most online payment processors offer various set-ups and these can look and feel very similar from the customer’s perspective. The difference lies mainly in where the payment data is being stored.
For example, your customers might enter their card details on a page hosted on your website or be sent to a page hosted by the third party payment provider. They might even enter their details on a third party page that has been designed (e.g. using i-frames) to look as if they are still on your website.
When choosing a payment processor – a subject we will cover in a separate article – the specific way in which data is stored and processed should be a key factor in deciding which you use.
There is more specific detail about which types of set up relate to which forms at https://www.pcicomplianceguide.org/faq/
Unless you are filling in SAQ A, you will also have to perform a quarterly vulnerability check using an approved scanning vendor (ASV). They will use an automated tool to perform a non-intrusive scan of your payment systems to check for vulnerabilities.
The SAQ (which includes your Attestation of Compliance) must be sent, along with your scan results, to your payment processor or merchant bank.
PCI DSS compliance in practice
In practice, PCI DSS compliance is a continuous process following a repeating cycle of assessment, remediation and reporting.
All e-commerce providers will start by filling in an annual self-assessment questionnaire (SAQ) which will help them to assess compliance and uncover gaps requiring remediation.
How do you know which one to fill in?
You can find this information out from your payment gateway provider or, if you only use one card service, their documentation. Each card brand and payment gateway approaches compliance in a different way. For example, a payment gateway may specify which ASV to use for system scanning purposes. Merchant fees will also vary depending on the type and level of e-commerce involved.
As a rule, where no card is present and you are carrying out offsite processing only, SAQ A is normally sufficient. For onsite processing (without card storage), SAQ C is required.
In addition, some merchants may need to submit to a periodic business audit, which will be carried out by a qualified security assessor (QSA) and/or a website and server scan, carried out by an approved security vendor (ASV).
To help you to apply fixes, the PCI Security Standards Council (PCI SSC) provides a six milestone ‘Prioritized Approach.’
The final stage is to report your progress to your payment gateway or card services provider following the method they outline.
Hopefully that gives you a handle on what is PCI compliance, UK standards. PCI compliance is not the most fun part of running an e-commerce store. Then again, neither is waking up one morning to find out that your customers’ details have been stolen and you are facing a non-compliance fine with several zeros on the end.
If you need any help from a local digital agency for this or anything else related to Website Design or Development, then please get in touch.
Do you know anyone who may be interested in this project?
Click to share: