Online shopping continues to gain acceptance with the public, meaning
that more transactions are occurring over the Internet than ever
before. So, it should come as no surprise that online threats to consumers
and credit card companies are also on the rise.
In response to the ongoing threat of credit card fraud and data
breaches, the major payment brands (Visa, MasterCard, American
Express, Discover, and JCB) have collaboratively endorsed a structure
program mandating compliance for any entity directly involved in the
processing, storage, or transmission of transaction data or cardholder
data. This program is called Payment Card Industry (PCI) compliance
and it’s gaining serious momentum.
However, there is much confusion regarding PCI compliance and
how organizations can ensure they adhere to the standards. PCI compliance
has a broad and ubiquitous scope, so let’s focus on what we
need to know: how to get your e-commerce site compliant in a cost-effective
and efficient manner.
First and foremost, it is important to understand that PCI is not a
one-size-fits-all approach; rather, it’s about the number of payments
you transact on an annual basis. That said, both global e-commerce
chains and small home-based businesses are identified as a “merchant”
in the eyes of PCI, necessitating compliance. The key is identifying
your transaction volume — the number of credit and debit
card transactions (even gift cards, as they have payment brand logos
on them) your site processes each year. All the major payment brands
have varied requirements; however, Visa’s guidelines are generally
regarded as the prudent and logical requirement. Thus, here is what
Visa has offered for PCI compliance regarding merchants:
Level 1: Any merchant — regardless of acceptance channel —
processing over 6,000,000 Visa transactions per year and any merchant
that Visa, at its sole discretion, determines should meet the
Level 1 merchant requirements to minimize risk to the Visa system.
- Level 2: Any merchant — regardless of acceptance channel —
processing 1,000,000-6,000,000 Visa transactions per year.
- Level 3: Any merchant processing 20,000 to 1,000,000 Visa
e-commerce transactions per year.
- Level 4: Any merchant processing fewer than 20,000 Visa e-commerce
transactions per year, and all other merchants — regardless
of acceptance channel — processing up to 1,000,000 Visa transactions
Calculate (or approximate) your number of transactions per year to
see which “Level” or bucket you fall into. After that, you will be able to
determine exactly what the requirements are, depending on your level.
Again, Visa provides very explicit mandates depending on the Level:
Level 1: Annual onsite review by a Qualified Security Assessor
(QSA) (PCI DSS Assessment) and Quarterly Network Scan by an
Approved Scanning Vendor (ASV).
Level 2: Annual Self Assessment Questionnaire and Quarterly
Network Scan by ASV
Level 3: Annual Self Assessment Questionnaire and Quarterly
Network Scan by ASV
Level 4: Annual Self Assessment Questionnaire and Quarterly
Network Scan by ASV
The only caveat to these guidelines is that American Express
requires all Level 2 merchants to also have an on-site PCI DSS assessment
conducted by a QSA. You may also fall victim to a customer or
one of the payment brand heavyweights requesting an on-site PCI DSS
assessment by a QSA, regardless of your transaction. Sometimes politics
come into play.
So let’s distill these requirements for truly understanding what they
really mean and how they affect you and your business.
An on-site PCI DSS assessment is essentially an audit conducted by
a QSA — essentially, a person who has gone through PCI training and
is certified to conduct an assessment. An annual self-assessment is just
that — an assessment you can conduct on your own for validating PCI
However, this is easier said
than done, as most merchants
lack the knowledge for truly
understanding what compliance
entails for your PCI stamp of
approval. Add to this, there are
five different versions currently
available for conducting PCI
self-assessments, so you need to
be sure you’ve chosen the right self-assessment questionnaire (SAQ).
Therefore, I highly recommend contacting a QSA for additional guidance
and support. Finally, all merchants, regardless of size, need quarterly
network scans to ensure a safe and secure cardholder environment.
Again, you will need to seek outside expertise for conducting
Possible fines and penalties loom for not being PCI compliant.
When it all adds up, it essentially makes good business sense to have
your e-commerce site PCI compliant and operating in a safe, secure
environment. Data breaches are growing at an alarming rate, so protect
yourself, your company, and your online reputation.
About the Author: Charles Denyer is a member of NDB Advisory (www.pciassessment.org)
and an expert in PCI compliance who is also a Qualified Security Assessor
(QSA) as approved and validated by the Payment Card Industry Security
Standards Council (PCI SSC) in Wakefield, MA. Mr. Denyer can be contacted
via email at firstname.lastname@example.org.
Learn more About PCI Compliance: To learn more about PCI compliance, visit
www.pciassessment.org. Both sites offer invaluable knowledge
and insight into the overall PCI assessment process.