We’ve received a lot questions from our customers about PCI compliance and what it take to become compliant. Although we’re not experts in compliance laws, we have been working closely with customers and vendors who have gone through the process. PCI compliance can be a complex topic involving many layers of detail. This post provides an overview of what PCI compliance is, how merchants can become compliant, and which e-commerce platforms are compliant.
PCI compliance overview
If you’re selling online and accept debit, credit, prepaid, e-purse, ATM or POS cards as a payment method, you need to understand PCI and comply with PCI DSS. So what exactly is PCI? PCI stands for Payment Cards Industry, and DSS is the Data Security Standard that regulates the way credit card payments are processed to ensure that customers’ card information is secure during the transaction. All merchants that accept credit cards need to be PCI compliant, no matter the size of their business or industry they’re in.
Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for businesses that handle, process and store credit cards. The standards are defined by the Payment Cart Industry Security Standards Council (PCI SSC), which includes Visa International, MasterCard Worldwide, America Express, Discover Financial Services, and JCB. These standards consist of 12 core requirements with the objective to protect cardholder data and maintain a secure network with strong access control measures. Businesses that don’t comply to these standards risk having their data security breached, which could result in fines as high as $500,000 per incident, being cut off from accepting credit cards, potential customer lawsuits, and damage to company’s reputation and brand.
The 12 core requirements for PCI compliance for merchants are as follows:
Becoming PCI compliant
The cost of becoming PCI compliant varies depending on the size of your business, type of business, number of transaction processed, IT infrastructure, etc. There are 4 levels of merchants. For larger companies with over 6M transactions a year, the figure is in the hundreds of thousands of dollars. These companies are also subjected to more rigorous validation requirements and audits by a Qualified Security Assessor (QSA). For smaller businesses with a single POS terminal or payment gateway, merchants need to complete an annual Self-Assessment Questionnaire (SAQ), make sure that they’re not improperly storing prohibited card data, and verify that their vendor is PA-DSS compliant. Software vendors that deal with processing card payments need to meet PA-DSS requirements, and be validated by a third party Payment Application-Qualified Security Assessor (PS-QSA). Payment Application Data Security Standard (PA-DSS) is a global security standard that defines how software vendors develop payment applications to comply with PCI DSS.
Similar to the PCI DSS requirements, software vendors also have a set for PA-DSS Requirements:
- Do no retain full magnetic stripe, card validation, code or value, or PIN block data
- Protect stored cardholder data
- Provide secure authentication features
- Log payment application activity
- Develop secure payment applications
- Protect wireless transmissions
- Test payment applications to address vulnerabilities
- Facilitate secure network implementation
- Cardholder data must never be stored on a server connected to the internet
- Facilitate secure remote access to payment application
- Encrypt sensitive traffic over public networks
- Encrypt all non-console administrative access
- Maintain instructional documentation and training programs for customers, resellers and integrators
Payment gateways for e-commerce
In order for online merchants to process online payment transactions, they need to secure the site that is capturing the customer’s card information (i.e., the checkout area) and the site that is accepting the card payment (i.e., the payment processor). This is done through a payment gateway, which is equivalent to the POS terminal for brick and mortar retailers. A payment gateway is an eCommerce application service provider (ASP) that authorizes online payments. Payment gateways (e.g., Authorize.net and PayPal’s Payflow) protect credit card information by encrypting the data to securely pass the information between the customer, merchant and payment processor via Secure Socket Layer (SSL) encryption. Therefore, payment gateways need to ensure this data transfer mechanism is secure and comply with PCI DSS and PA-DSS for online, offline and phone orders.
PCI compliant online store platforms:
Even though, you have a PA-DSS certified payment gateway for your online business, your shopping cart checkout must also be PCI compliant because this is where customers are entering their credit card information before the data is transferred to a payment gateway.
Online shopping cart and marketplace platforms provide transactional services, and as multichannel eCommerce software providers, they are responsible for any liability due to non-compliance of PCI DSS. Therefore, online store platforms are also required to be PCI compliant and go through PA-DSS validation. This process requires over $50,000 of investment in updated network security software and management across their customer online store site. Carts that are compliant include BigCommerce, Magento Go, Pinnacle Cart, Volusion, 3dCart, and a few others. Online marketplaces, such as Amazon and eBay, provide their own inclusive payment solution that is PCI compliant. For a list of PA-DSS certified shopping carts, visit the PCI Security Standard Council website.
Instead of focusing on having the shopping cart software be PCI compliant, some shopping cart providers have developed a payment “bridge” solution that is PCI compliant to handle the transactional process and acts as a bridge between the shopping cart and the payment gateway. For example, Magento Enterprise and Professional editions utilize the Magento Payment Bridge to handle all credit card processing. This enables all Magento Enterprise and Professional sellers to become PCI compliant via the Payment Bridge instead putting the responsibility on each merchant.
If you are using a non-compliant shopping cart, there is still a way for merchants to become compliant without having to go through the entire compliance process. e-commerce merchants can integrate their carts with a PCI compliant payment processor that provides a hosted payment processing page (Cybersource, CRE Secure, PayPal Website Payment Pro or Google Checkout). With this approach, the end consumer is pushed to an external hosted secure page at the final step of checkout. The downside to this method is that you’re redirected to another site which might not allow for a seamless checkout experience and depending on the vendor you choose, there may be some limitations on how much control you have over the look and feel of the payment page.
Understanding the Payment Card Industry policy and becoming PCI compliant not only protect your business legally, but also provide the ease of mind that your customer and business data are secure. To ensure that you are PCI compliant: (1) read up on the latest Data Security Standard requirements, (2) check to see if your shopping cart provider is PA-DSS certified, and (3) make sure that your payment application provider is PCI compliant and properly integrated with your online store.