If you’re an ecommerce merchant processing card-not-present transactions, you need to be PCI compliant. PCI stands for “Payment Card Industry,” and being compliant means staying up to date on all the necessary data security practices.
Since hacks of customer credit card data could sink your business, a trade organization called the PCI Security Standards Council creates, updates, and enforces what are known as the PCI standards. These are protocols that are meant to protect merchants and customers from fraud. Collectively, these standards are called the PCI-DSS, or “PCI Data Security Standard.”
To enforce the PCI DSS, merchants fill out something called a PCI SAQ, or “Self-Assessment Questionnaire.” The PCI DSS Self-Assessment Questionnaire lays out step-by-step questions to make it easier to comply with PCI-DSS. In this post, you’ll learn more about the standard and the questionnaire.
By being ready for the PCI security questionnaire, you’ll be in the best possible position to stay compliant. That means avoiding costly penalties for non-compliance, staying one step ahead of hackers, and protecting your company from customer lawsuits resulting from credit card fraud.
After all, nothing damages customer trust like a breach of cardholder data.
Different merchants have different compliance requirements depending on their category. These categories are meant to give different types of merchants a way to report on compliance to stay in good standing with the PCI.
The first step to PCI-DSS compliance is figuring out where your business stands. There are different “levels” with various criteria from each of the major credit card companies. These levels determine your individual reporting requirements.
Different credit card brands have different criteria for each level. That’s why you have to check with each credit card brand—one company will have different criteria for meeting each level than another.
As previously mentioned, the exact criteria for each level of PCI compliance is different for each credit card brand. For example, Visa e-commerce uses slightly different requirements than merchants processing Mastercards.
For all of the different brands, levels are based on your overall risk profile as a business. The information below gives you a good idea of what to generally expect based the total credit card payments your company processes yearly. The PCI Self Assessment Questionnaire helps you determine which level you fall into.
Level 1 requirements come into play for merchants that process six million or more transactions per year.
Level 2 merchants are those processing fewer transactions than those in the Level 1 category. To be a level 2 merchant, you have to process at least one million transactions per year. But process more than six million per year, and you’ll be bumped to level 2.
Level 3 is applicable for merchants processing between 20,000 and one million transactions per year.
Level 4 requirements are commonly for small companies. However, a company that processes very few transactions can still be taking in high amounts of revenue, it just means that each client comes with more revenue opportunity. Either way, level 4 merchants are those that process fewer transactions than any of the other levels: under 20,000 per year.
In order to be PCI-DSS compliant, there are validation processes that must take place. These involve self-assessment questionnaires and PCI representatives called Qualified Security Assessors, or QSAs. However, the details and frequency of validation varies according to which level your business qualifies for.
As outlined in the last section, your company’s level is based on the total number of annual transactions. But in addition to annual transactions, your level might be different depending on which card brand is assessing you. Consult each of them individually to determine your PCI DSS requirements for each.
Typically, merchants at levels 2, 3, and 4 are only required to complete a self-assessment questionnaire. Meanwhile, level 1 merchants are validated by a Qualified Security Assessor (QSA) from the credit card company.
If you’ve ever asked yourself, “How do I become PCI compliant,” the first step is in adopting the proper security management procedures. Proper security ensures that customer credit card information like account numbers and expiration dates are protected at every phase of checkout, both on your end and on the part of your acquiring bank.
Since ecommerce involves the transmission of information through various servers and networks, there are lots of opportunities for fraudsters to try to swoop in and hack the data. Protecting it requires security measures at every layer: the ecommerce store, the network architecture, and the actual payment processing software. We’ll discuss each of these in more detail.
Your ecommerce store is where customers add items to their shopping cart and begin the checkout process. All ecommerce websites should be Hypertext Transfer Protocol Secure, and use https. HTTPS-active sites display “https://” at the beginning of a website address, before the “www.” On https sites, information moving across the servers is more secure than on non-http sites.
Your checkout system should also use SSL encryption. “SSL” stands for “Secure Sockets Layer,” and it refers to certain cryptographic protocols for securing digital information as it moves from place to place.
If you use checkout software from a third party, make sure they use SSL and any other necessary encryption methods. While you can usually expect SSL encryption to be a standard feature from any reputable credit card payment service provider, always double-check.
Without encryption, hackers could have free reign over your customer’s payment card information. Anti-virus software is only the beginning—you need to make sure your payment card payments processor and other vendors use the latest encryption technology. You also need to make sure that you have secure data storage and transmission throughout the entire process.
PCI compliance demands a strong network architecture…that means your networks need to take security seriously during the design phase, and that security not be phased in as an afterthought. Also, once a strong network is built, it needs to be maintained.
Maintaining a secure network requires ongoing checks and updates. You need to analyze your network systems for any vulnerability. You should also have a plan in place for dealing with them. Monitor your network for signs of intrusion or other issues, and perform security tests regularly so that you can catch weaknesses early, before a hacker has a chance to exploit them.
To stay PCI DSS compliant, many merchants will have to get a quarterly self-assessment scan done by an approved vendor. The purpose of the scan is to find vulnerabilities in your credit and debit card payment systems.
These scans usually happen quarterly, but they are also necessary if there are any major changes to your network or system. For example, updating your computers or switching to a new provider would both be situations where you should be re-scanned to stay compliant.
For the scan to be effective, it has to cover all systems that communicate credit or debit card information. That includes the network itself but also your operating system, web-based application software, payment terminals, network, and any other software or hardware system that receives, transmits, or stores payment data. To keep up with proper PCI data security, get your systems scanned every 90 days.
The PCI DSS is there to protect you and your customers, and the PCI DSS SAQ makes the process quicker and easier, saving you time and money. But proper security controls shouldn’t be looked at as a nuisance. Rather, look at them as an investment.
By putting in the effort to become DCI compliant with the standard PCI protocols, you’re saving yourself the hassle of dealing with a data breach. These breaches can cause a loss of customer trust that can take years to earn back. The investment in avoiding serious data leaks with a regular PCI DSS assessment could be one that saves your business.