PCI Compliance for E-commerce
All online retailers that accept credit card payments need to be compliant with the Payment Card Industry Data Security Standard (PCI DSS).
All online retailers that accept credit card payments need to be compliant with the Payment Card Industry Data Security Standard (PCI DSS).
The Payment Card Industry Data Security Standard (PCI DSS) is a joint initiative developed by the major credit card brands including Visa, MasterCard, American Express, Discover, and JCB. The standard is a response to the increase in online card theft and fraud. The ability of criminals and fraudsters to monetize stolen cards is well established and can seriously impact your business. The standard outlines security requirements for companies that accept, transmit, and store cardholder data.
The standard mandates 12 core requirements including demonstrating a minimum of security management, policies, procedures, network architecture, software design, and other critical protective measures so business can proactively protect customer account data.
Online retailers are responsible to ensure that payment card data is protected, even if payment processing is outsourced. All online retailers that accept cards for payment purposes, need to achieve, maintain, and prove compliance on an ongoing basis.
The complexity, time, and cost associated with achieving compliance vary according to the merchant level. Each merchant level sets out how compliance with the standard is assessed and reported on.
Currently 4 merchant levels may apply:
(Note: Levels are set by the card brands and may vary)
A Self Assessment Questionnaire (SAQ) is a validation tool to assist merchants and service providers in demonstrating their compliance.
There are 3 SAQs that may apply to online retailers:
SAQ A
This SAQ applies to online retailers who have their website entirely hosted and managed by a PCI-compliant payment processor, or who provide an iframe or URL that redirects a consumer to a PCI-compliant payment processor.
SAQ-EP
This SAQ is required if the merchant website provides an iframe or URL that redirects a consumer to a PCI-compliant, third-party payment processor while maintaining website elements (such as CSS or JavaScript).
SAQ D
This SAQ applies when an online merchant stores credit card data, or originates payment pages from within a website.
If a breach occurs whilst a merchant is non-compliant, the credit card providers can issue fines. The merchant may be forced to cover chargebacks and may lose the privilege of processing credit cards. The merchant also risks escalation into a higher tier with all the costs associated with those levels and which run into the tens of thousands.
The PCI standard has positive implications that go well beyond the avoidance of fines. Benefits Include:
Getting started with PCI DSS compliance can be overwhelming. The documentation is extensive and navigating through all the requirements can be daunting for the novice or without having the necessary expertise on hand.
Shearwater can help you map your infrastructure and processes against PCI requirements and fill the gaps. We start with a pre-assessment that outlines the simplest and most cost effective route to compliance.