PCI Compliance for Every Online Merchant

Online shopping continues to gain acceptance with the public, meaning that more transactions are occurring over the Internet than ever before. So, it should come as no surprise that online threats to consumers and credit card companies are also on the rise.

In response to the ongoing threat of credit card fraud and data breaches, the major payment brands (Visa, MasterCard, American Express, Discover, and JCB) have collaboratively endorsed a structure program mandating compliance for any entity directly involved in the processing, storage, or transmission of transaction data or cardholder data. This program is called Payment Card Industry (PCI) compliance and it's gaining serious momentum.

However, there is much confusion regarding PCI compliance and how organizations can ensure they adhere to the standards. PCI compliance has a broad and ubiquitous scope, so let's focus on what we need to know: how to get your ecommerce site compliant in a cost-effective and efficient manner.

First and foremost, it is important to understand that PCI is not a one-size-fits-all approach; rather, it's about the number of payments you transact on an annual basis. That said, both global ecommerce chains and small home-based businesses are identified as a "merchant" in the eyes of PCI, necessitating compliance. The key is identifying your transaction volume - the number of credit and debit card transactions (even gift cards, as they have payment brand logos on them) your site processes each year. All the major payment brands have varied requirements; however, Visa's guidelines are generally regarded as the prudent and logical requirement. Thus, here is what Visa has offered for PCI compliance regarding merchants:

  • Level 1: Any merchant - regardless of acceptance channel - processing over 6,000,000 Visa transactions per year and any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
  • Level 2: Any merchant - regardless of acceptance channel - processing 1,000,000-6,000,000 Visa transactions per year. 
  • Level 3: Any merchant processing 20,000 to 1,000,000 Visa ecommerce transactions per year.
  • Level 4: Any merchant processing fewer than 20,000 Visa ecommerce transactions per year, and all other merchants - regardless of acceptance channel - processing up to 1,000,000 Visa transactions per year.

Calculate (or approximate) your number of transactions per year to see which "Level" or bucket you fall into. After that, you will be able to determine exactly what the requirements are, depending on your level. Again, Visa provides very explicit mandates depending on the Level:

  • Level 1: Annual onsite review by a Qualified Security Assessor (QSA) (PCI DSS Assessment) and Quarterly Network Scan by an Approved Scanning Vendor (ASV).
  • Level 2: Annual Self Assessment Questionnaire and Quarterly Network Scan by ASV
  • Level 3: Annual Self Assessment Questionnaire and Quarterly Network Scan by ASV
  • Level 4: Annual Self Assessment Questionnaire and Quarterly Network Scan by ASV

The only caveat to these guidelines is that American Express requires all Level 2 merchants to also have an on-site PCI DSS assessment conducted by a QSA. You may also fall victim to a customer or one of the payment brand heavyweights requesting an on-site PCI DSS assessment by a QSA, regardless of your transaction. Sometimes politics come into play.

So let's distill these requirements for truly understanding what they really mean and how they affect you and your business.

An on-site PCI DSS assessment is essentially an audit conducted by a QSA - essentially, a person who has gone through PCI training and is certified to conduct an assessment. An annual self-assessment is just that - an assessment you can conduct on your own for validating PCI compliance.

However, this is easier said than done, as most merchants lack the knowledge for truly understanding what compliance entails for your PCI stamp of approval. Add to this, there are five different versions currently available for conducting PCI self-assessments, so you need to be sure you've chosen the right self-assessment questionnaire (SAQ). Therefore, I highly recommend contacting a QSA for additional guidance and support. Finally, all merchants, regardless of size, need quarterly network scans to ensure a safe and secure cardholder environment. Again, you will need to seek outside expertise for conducting these scans.

Possible fines and penalties loom for not being PCI compliant. When it all adds up, it essentially makes good business sense to have your ecommerce site PCI compliant and operating in a safe, secure environment. Data breaches are growing at an alarming rate, so protect yourself, your company, and your online reputation.

About the Author: Charles Denyer is a member of NDB Advisory (www.pciassessment.org) and an expert in PCI compliance who is also a Qualified Security Assessor (QSA) as approved and validated by the Payment Card Industry Security Standards Council (PCI SSC) in Wakefield, MA. Mr. Denyer can be contacted via email at cdenyer@ndbcpa.com.

Learn more About PCI Compliance: To learn more about PCI compliance, visit www.pcisecuritystandards.org or www.pciassessment.org. Both sites offer invaluable knowledge and insight into the overall PCI assessment process.