PCI Compliance for E-commerce
All online retailers that accept credit card payments need to be compliant with the Payment Card Industry Data Security Standard (PCI DSS).
What is PCI DSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a joint initiative developed by the major credit card brands including Visa, MasterCard, American Express, Discover, and JCB. The standard is a response to the increase in online card theft and fraud. The ability of criminals and fraudsters to monetize stolen cards is well established and can seriously impact your business. The standard outlines security requirements for companies that accept, transmit, and store cardholder data.
The standard mandates 12 core requirements including demonstrating a minimum of security management, policies, procedures, network architecture, software design, and other critical protective measures so business can proactively protect customer account data.
Online retailers are responsible to ensure that payment card data is protected, even if payment processing is outsourced. All online retailers that accept cards for payment purposes, need to achieve, maintain, and prove compliance on an ongoing basis.
Determining your merchant level
The complexity, time, and cost associated with achieving compliance vary according to the merchant level. Each merchant level sets out how compliance with the standard is assessed and reported on.
Currently 4 merchant levels may apply:
- Level 1: More than 6 Million Transactions per annum
- Level 2: Between 1 and 6 Million transactions per annum
- Level 3: Between 20,000 and 1 Million transactions per annum
- Level 4: All other merchants.
(Note: Levels are set by the card brands and may vary)
Determining the right SAQ
A Self Assessment Questionnaire (SAQ) is a validation tool to assist merchants and service providers in demonstrating their compliance.
There are 3 SAQs that may apply to online retailers:
SAQ A
This SAQ applies to online retailers who have their website entirely hosted and managed by a PCI-compliant payment processor, or who provide an iframe or URL that redirects a consumer to a PCI-compliant payment processor.
SAQ-EP
This SAQ is required if the merchant website provides an iframe or URL that redirects a consumer to a PCI-compliant, third-party payment processor while maintaining website elements (such as CSS or JavaScript).
SAQ D
This SAQ applies when an online merchant stores credit card data, or originates payment pages from within a website.
Need help determining your merchant level or SAQ?
If a breach occurs whilst a merchant is non-compliant, the credit card providers can issue fines. The merchant may be forced to cover chargebacks and may lose the privilege of processing credit cards. The merchant also risks escalation into a higher tier with all the costs associated with those levels and which run into the tens of thousands.
Benefits of being PCI Compliant
The PCI standard has positive implications that go well beyond the avoidance of fines. Benefits Include:
- Providing a security framework that helps secure your website and lessen the likelihood of being hacked.
- Helping to avoid costly down time and damage to reputation that may be caused by a breach.
- Maintaining an online retailer’s privilege of accepting credit card payments and preserving the core of the online shopping experience
- Avoiding hefty fines and rigorous compliance requirements.
- Maintaining consumer trust and reputation
Getting started with PCI Compliance
Getting started with PCI DSS compliance can be overwhelming. The documentation is extensive and navigating through all the requirements can be daunting for the novice or without having the necessary expertise on hand.
Shearwater can help you map your infrastructure and processes against PCI requirements and fill the gaps. We start with a pre-assessment that outlines the simplest and most cost effective route to compliance.