PCI Compliance for Every Online Merchant
Online shopping continues to gain acceptance with the public, meaning
that more transactions are occurring over the Internet than ever
before. So, it should come as no surprise that online threats to consumers
and credit card companies are also on the rise.
In response to the ongoing threat of credit card fraud and data breaches, the major payment brands (Visa, MasterCard, American Express, Discover, and JCB) have collaboratively endorsed a structure program mandating compliance for any entity directly involved in the processing, storage, or transmission of transaction data or cardholder data. This program is called Payment Card Industry (PCI) compliance and it’s gaining serious momentum.
However, there is much confusion regarding PCI compliance and how organizations can ensure they adhere to the standards. PCI compliance has a broad and ubiquitous scope, so let’s focus on what we need to know: how to get your e-commerce site compliant in a cost-effective and efficient manner.
First and foremost, it is important to understand that PCI is not a one-size-fits-all approach; rather, it’s about the number of payments you transact on an annual basis. That said, both global e-commerce chains and small home-based businesses are identified as a “merchant” in the eyes of PCI, necessitating compliance. The key is identifying your transaction volume — the number of credit and debit card transactions (even gift cards, as they have payment brand logos on them) your site processes each year. All the major payment brands have varied requirements; however, Visa’s guidelines are generally regarded as the prudent and logical requirement. Thus, here is what Visa has offered for PCI compliance regarding merchants:
- Level 1: Any merchant — regardless of acceptance channel — processing over 6,000,000 Visa transactions per year and any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
- Level 2: Any merchant — regardless of acceptance channel — processing 1,000,000-6,000,000 Visa transactions per year.
- Level 3: Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year.
- Level 4: Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1,000,000 Visa transactions per year.
Calculate (or approximate) your number of transactions per year to see which “Level” or bucket you fall into. After that, you will be able to determine exactly what the requirements are, depending on your level. Again, Visa provides very explicit mandates depending on the Level:
- Level 1: Annual onsite review by a Qualified Security Assessor (QSA) (PCI DSS Assessment) and Quarterly Network Scan by an Approved Scanning Vendor (ASV).
- Level 2: Annual Self Assessment Questionnaire and Quarterly Network Scan by ASV
- Level 3: Annual Self Assessment Questionnaire and Quarterly Network Scan by ASV
- Level 4: Annual Self Assessment Questionnaire and Quarterly Network Scan by ASV
The only caveat to these guidelines is that American Express
requires all Level 2 merchants to also have an on-site PCI DSS assessment
conducted by a QSA. You may also fall victim to a customer or
one of the payment brand heavyweights requesting an on-site PCI DSS
assessment by a QSA, regardless of your transaction. Sometimes politics
come into play.
So let’s distill these requirements for truly understanding what they really mean and how they affect you and your business.
An on-site PCI DSS assessment is essentially an audit conducted by a QSA — essentially, a person who has gone through PCI training and is certified to conduct an assessment. An annual self-assessment is just that — an assessment you can conduct on your own for validating PCI compliance.
However, this is easier said
than done, as most merchants
lack the knowledge for truly
understanding what compliance
entails for your PCI stamp of
approval. Add to this, there are
five different versions currently
available for conducting PCI
self-assessments, so you need to
be sure you’ve chosen the right self-assessment questionnaire (SAQ).
Therefore, I highly recommend contacting a QSA for additional guidance
and support. Finally, all merchants, regardless of size, need quarterly
network scans to ensure a safe and secure cardholder environment.
Again, you will need to seek outside expertise for conducting
Possible fines and penalties loom for not being PCI compliant. When it all adds up, it essentially makes good business sense to have your e-commerce site PCI compliant and operating in a safe, secure environment. Data breaches are growing at an alarming rate, so protect yourself, your company, and your online reputation.
About the Author: Charles Denyer is a member of NDB Advisory (www.pciassessment.org) and an expert in PCI compliance who is also a Qualified Security Assessor (QSA) as approved and validated by the Payment Card Industry Security Standards Council (PCI SSC) in Wakefield, MA. Mr. Denyer can be contacted via email at email@example.com.
Learn more About PCI Compliance: To learn more about PCI compliance, visit www.pcisecuritystandards.org or www.pciassessment.org. Both sites offer invaluable knowledge and insight into the overall PCI assessment process.