PCI Compliance: An Overview for eCommerce

Listen to This Article

0:00
/

What is PCI Compliance?

The term PCI Compliance in eCommerce comes from the Payment Card Industry Data Security Standard (PCI DSS) which is a security standard defined by the Payment Card Industry Security Standards Council. This standard was formed to improve processes and controls in place to protect cardholder data. 

Any business who processes, stores or transmits any information listed on a credit or debit card is required to comply with PCI DSS. All merchants that accept credit cards on their website are required to assess their compliance annually. Depending on your transaction volume, there are differences involved in the required level of assessment. Merchants with lower transaction volumes may be able to assess their compliance internally.

Note that even if you do not store the full credit card number (which you should not be), if the credit card number travels through your network in route to the payment gateway, you still are required to prove PCI compliance.

PCI compliance is not required by law. Acquiring banks or processors are responsible for enforcement of PCI compliance.

What are the security requirements in the PCI DSS?

There are 12 main requirements with over 220 sub-requirements. Here are the high-level requirements. For greater detail, see the PCI DSS Standard.

  1. Install and maintain a firewall configuration to protect data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
  3. Protect stored data
  4. Encrypt transmission of cardholder data and sensitive information across public networks
  5. Use and regularly update anti-virus software
  6. Develop and maintain secure systems and applications
  7. Restrict access to data by business need-to-know
  8. Assign a unique ID to each person with computer access
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security

What Happens if You are Not Compliant?

Your merchant account could be revoked or you could be unable to accept certain types of cards if you are not PCI compliant. lf you are found negligent in the event of a breach, you are likely to face significant fines, higher costs through increased compliance requirements, larger merchant fees and/or potential suspension or cancellation from your credit card merchants. 

PCI Compliant Hosting

Because PCI Compliance requires limiting access to the server environment and having specific security controls in place to satisfy the PCI DSS requirements, it is not generally achievable in a shared hosting environment. Typically a virtual or dedicated server environment is required and needs to be set up by a web host that is specifically trained in PCI compliance issues. 

A typical entry-level configuration for an eCommerce site will be to host your site on virtual machines that are dedicated only to your company. You will need two virtual machines – one for your website and one for your database. This configuration will also result in improved performance for your site. You will need your host to create firewall rules to only allow the web server to access the database server.

PCI Compliant hosting costs typically start around $500/mth. 

What else is required?

Your hosting environment is only one part of achieving PCI compliance. Other important actions to achieve PCI compliance include:

  • Scanning: Hiring an Approved Scanning Vendor (ASV) to scan your site. You will need to pass a network scan every 90 days. In some cases, your merchant bank has already selected an ASV for you to use, and it may be included in your merchant fees.
  • Processes: Ensuring your business practices comply with PCI requirements. There are requirements dealing with handling credit card numbers provided over the phone, in face-to-face transactions, or dealing with paper records of credit card numbers your company may have.
  • Reporting: You may be required to submit a Self-Assessment Questionnaire and provide an Attestation of Compliance. Typically your merchant bank and your scanning vendor can assist you in determining which requirements apply to you.

How can I limit my costs and my risk?

One way to limit your costs and your risk is to limit your PCI compliance scope. You can do this by using a payment method where the full credit card number never travels through your network. This doesn’t mean that you don’t need to go through the PCI compliance process, but it does reduce your risk and reduce the requirements you will need to meet.

Some payment methods do this by taking users off of your site and then returning them at the end – like PayPal Standard. While more and more users are growing familiar with payment methods like this, it also can cause some confusion and cart abandonment. There are now a growing number of payment methods that reduce your PCI compliance scope but allow users to stay on your site.

Here are payment providers that reduce your PCI compliance scope but allow users to stay on your site:

  • Authorize.Net Direct Post Method
    Because of Authorize.Net’s popularity on the market, this is a payment method that Brilliance has implemented for customers looking to reduce their PCI scope. This look and feel of this payment method can completely match your site, and you are able to accept all major credit cards.
  • PayPal Payments Advanced
    PayPal Payments Advanced enables merchants to allow customers to stay on their site while checking out with a credit card or their PayPal account. The downside of this payment method is that it is still heavily branded as PayPal and the user experience may not give the overall look and feel you want customers to see on your site.
  • Amazon Checkout
    Specifically to allow users to checkout with payment methods in their Amazon account. While this can be a helpful payment method, it is often best used in conjunction with another method.
  • Braintree Payments
    Braintree has created a flexible and secure structure that enables users to not only check out and stay on your site but also to store credit cards in their Vault for later use. While Authorize.Net has a method of storing credit cards (Customer Information Manager (CIM), use of the CIM sends credit card data through your web server and therefore doesn’t limit your PCI scope. For vendors wanting to remember users credit cards for future use and reduce their PCI compliance scope, Braintree is a good option.

For related information, check out our article on security risks with credit cards.

Lori McDonald

President & CEO

About

Lori McDonald

Lori graduated from Purdue University with a Bachelor’s degree in Computer-Electrical Engineering and leads Brilliance Business Solutions with over 20 years of computer engineering and software development experience.  She is an Episerver EMVP, a Microsoft Certified Professional and a regular contributor on Practical eCommerce. Her status as a recognized industry expert has resulted in regular speaking engagements at business conferences.

Related Articles