Do I need to be PCI compliant? That’s probably the question you’ve been wondering, and what landed you on this article. Well, trust is one of the driving factors behind the success of eCommerce and store-front businesses.
Without it, attracting new customers would be much more difficult. To help maintain trust, the payment industry along with the credit card companies have implemented a set of practices that all merchants and service providers need to follow.
These practices are known under the umbrella of PCI compliance, which means you are practicing all of the guidelines necessary to promote security and data integrity when handling customers’ card data.
In the following sections, we’ll explain what PCI compliance means and how you can easily determine if you are PCI compliant or not.
What Does Trust Have to Do with the Success of a Business?
Being able to process credit and debit cards is a requirement for almost all businesses. For an eCommerce business, it’s completely essential.
Processing credit and debit cards also come with a certain degree of responsibility. Customers are trusting you with sensitive financial information, and that trust needs to be maintained so that the entire payment network can continue to function.
If customers no longer feel safe entering their credit card information into a business’s website, then that hurts every business with lower conversion rates and fewer sales.
What is PCI Compliance?
To begin, it’s necessary to explain exactly what PCI compliance is and where it comes from.
PCI refers to the Payment Card Industry. The working group created by the payment industry is known as the PCI SSC or Payment Card Industry Security Standards Council.
The PCI SSC is an industry body, not a legal or governmental body. Their goal is to maintain the security of the payment industry as a whole as well as the networks surrounding it. Whether it be private networks of businesses that process payments or the networks run by the payment industry itself.
All entities involved in payment processing must adhere to the standards put forth by the PCI SSC. The PCI SCC also provides PCI compliance certification courses for individuals and businesses.
The full standards are known as PCI DSS or Payment Card Industry Digital Security Standard and these are the specific guidelines and rules that must be followed to be PCI compliant.
As a merchant or business owner, the key area to be concerned with is PCI DSS as that is what you will need to follow.
The PCI DSS standards and the PCI SSC are voluntary industry standards, meaning there is no legal authority behind them. However, merchants and service providers must follow these data security standards or they are in breach of their merchant agreement and can lose their merchant account.
This goes for all merchants regardless of their size or processing volumes. Although, there are different requirements based on the size of a business. So a small business doing a few thousand dollars worth of processing a month will have fewer PCI compliance obligations than a business doing $20 million in monthly sales volume.
What if You Are Not PCI Compliant?
Being PCI compliant relies on either a self-evaluation or in some cases, the use of third-party auditors, something we’ll discuss in detail later.
If during your own self-evaluation, you find that you are not PCI compliant, you need to follow the steps outlined in the self-evaluation questionnaires to remedy the problem.
The same conditions apply if you are required to use a third-party auditor or scanner. If they find an area where your network has fallen out of PCI compliance, you are required to fix it.
Not fixing these problems can result in the loss of your merchant account. Once a business loses an account for being out of PCI compliance, it can be much more difficult to secure a new merchant account.
For this reason, it’s best to solve any PCI non-compliance issues on your own and as soon as possible. By doing this you not only help to secure your own business and reduce your own liability, you also help to secure your ability to process credit cards in the future.
Overall, PCI compliance is voluntary, but falling out of compliance can put your business’s ability to accept payments at risk, something that can be catastrophic for almost any business, especially an online business. Therefore, remaining PCI compliant should always be a top priority.
Who Needs To Be PCI-Compliant?
Any merchant or service provider who accepts credit cards or is involved in storing/processing payment data needs to be PCI compliant. A service provider is any business that works with or handles credit card data although they might not directly process that information. For example, a web hosting company could be a service provider if credit data is processed by their customers on their servers.
How To Check If You Are PCI Compliant?
This is the biggest question most new merchants ask upon learning about PCI compliance. It can seem almost scary with all the technical terms and possible ramifications of being non-compliant. But the process is quite straightforward and many aspects of PCI compliance are things that any responsible business should already be doing, especially an eCommerce business.
The first step is to determine what level of PCI DSS compliance your business currently falls under. The level you fall under will determine the rest of how you check if you are PCI compliant or not.
There are essentially 4 levels of PCI DSS compliance and they are mainly broken down into processing volumes. Part of this is due to the risks involved with high processing volumes. But it’s also partially to not overburden smaller retailers with undue security checks and expenses that they may not be able to afford or even need.
The list below shows the different PCI levels and their thresholds to determine where your business happens to be.
- PCI Level 1 – $6 million or more in transactions per year
- PCI Level 2 – $1 million – $6 million in transactions per year
- PCI Level 3 – $20,000 – $1 million in transactions per year
- PCI Level 4 – $20,000 or less in transactions per year
Levels 2-4 are all based on self-reporting. This means you use a supplied questionnaire to evaluate the rest of your requirements. These questionnaires are rather straightforward and you simply go step by step answering each question to reveal the final determination.
PCI level 1 requires that the company have an audit performed by a qualified individual or third-party agency. They then create a Report on Compliance (RoC) and use a third-party Qualified Security Assessor (QSA).
Self-Assessment Questionnaire (SAQ)
If you fall under levels 2-4, you will use a form called a self-assessment questionnaire (SAQ) to determine if you are PCI compliant.
There are 9 different SAQs and you choose which one applies to you based on the specifics of your processing environment. These questionnaires work like a PCI compliance checklist where you go through and answer each item. When complete, you will know if you are PCI compliant or not.
Below are the 9 different SAQs and you can look at what criteria makes a business qualify for each one. It should be easy to determine which SAQ you require by going through this list.
SAQ A
- Card-not-present only (eCommerce or MOTO)
- Third-party PCI DSS service providers
- No electronic processing or storage of card data on the merchant’s own systems and location
SAQ A-EP E
- Card-not-present only (eCommerce or MOTO)
- Third-party PCI DSS service providers
- No electronic processing or storage of card data on the merchant’s own systems and location
- Has a website that could affect transaction security even though it does not receive card data directly.
SAQ B
- No electronic cardholder data storage
- Use of imprint machines only for transactions
SAQ B-IP
- In-person payments at standalone terminals(PTS-approved with an IP connection)
- No electronic storage card data
SAQ C-VT
- Keyed transactions via PCI DSS validated third-party online virtual terminal
- No electronic storage card data
- Not for eCommerce
SAQ C
- internet-based payment application systems
- No electronic storage card data
- Not for eCommerce
SAQ P2PE
- In-person transactions are taken on physical payment terminals that are managed by a PCI SSC-listed Point-to-Point Encryption (P2PE) solution
- No electronic storage card data
- Not for eCommerce
SAQ D
- Any merchants that did not qualify for the above SAQ Types
SAQ D For Service Providers
- Any service provider that is eligible to complete an SAQ
As you can see from browsing this list of the 9 different SAQs, they are mostly based on how you process or capture credit card information.
For example, the SAQ C-VT is for those who key in transactions using a qualified virtual terminal. Keying in transactions is usually done for phone orders. The customer service representatives are given the customer’s credit card number over the phone and they then “key it in” using a piece of software known as a virtual terminal.
This form also requires that the business does not store credit card information locally.
By going through the list above, you can determine which SAQs apply to you and your business.
Completing Your SAQ
As mentioned before, the SAQ is a self-evaluation. So if you are a single owner operating a business, then you’ll be filling out these forms yourself. For larger businesses that may have employees dedicated to IT services or accounting, you may want to have those team members present when working on the SAQ.
Despite the technical nature of an SAQ, the answers are mostly going to be either a simple yes, no, or not applicable.
To determine if you are PCI compliant, you must answer yes to every question or not applicable if it does not apply to your business or processing. There are no grades with a SAQ and they are either a pass or fail when completed.
A fail means that one question could not be answered in the affirmative. If this is the case, the business must resolve that issue and then retake the SAQ. If they can answer yes to the previously failed question, they now pass.
To sum up the process of determining PCI compliance for levels 2-4, it looks like this:
- Determine your level of PCI DSS compliance based on processing volumes.
- For levels 2-4, choose your appropriate SAQ
- Complete the SAQ, if passed, you are PCI compliant
- If failed, address the problems and retake the SAQ
PCI DSS Level 1 Compliance
The above sections detail how to determine if you are PCI-compliant for levels 2-4. For level 1, using an SAQ is not allowed.
Level 1 businesses must have a third-party assessor complete a Report on Complaint or RoC. A Qualified Service Advisor QSA must complete this form for the business after auditing its systems and procedures. A business can employ its own QSA to perform the test if the individual is qualified and holds the proper credentials.
Both RoCs and SAQs need to be performed annually. They also must be performed in the event of any major changes being made to your network or processing equipment.
Some of these processes may involve the need for “pen testing”, which is short for penetration testing. These are either automated or manual tests where a qualified individual or service provider tests for known vulnerabilities in your network.
Depending on your needed SAQ, you may or may need to perform pen testing.
Overall, completing either your appropriate SAQ or an RoC is how you determine if you are PCI compliant.
Benefits Of Being PCI compliant
First and foremost, PCI compliance benefits everyone who relies on payment processing to run their business. Without the trust and security that customers feel using their credit cards, conducting business would be much more difficult. This is especially true when it comes to online sales.
So by having all merchants follow PCI compliance, it helps to maintain the trust that the public has in the credit card payment system.
But beyond the general benefits, there are also individual benefits of PCI DSS compliance that help businesses individually.
One main benefit is that secure systems and applications help reduce the risk of a data breach or other security-related incident due to data loss. A hack or a breach can severely harm a business or organization.
Things such as ransomware attacks and other sophisticated network attacks cost businesses billions of dollars annually. For every high-profile ransomware or hacking case we hear about in the news, hundreds of small businesses likely are experiencing the same thing, but it’s not large enough to be newsworthy.
You don’t want to be one of those small businesses dealing with ransomware attacks. By following PCI compliance, you make your network and business IT infrastructure more secure overall.
So while the goal of PCI compliance is to protect credit card data, it protects all other data on your network as well. This reduces the likelihood of all types of security breaches, not just the ones that impact credit card data.
The Specifics of PCI Compliance
We already went over how to determine if you are PCI compliant or not. But it’s also good to understand the reasoning behind the PCI DSS guidelines. Doing so also helps to reinforce that many of the guidelines are simply best practices and things that most responsible businesses should already be doing.
So despite PCI compliance seeming like it can be a bit overwhelming at first, once you understand the guidelines and principles behind it, it becomes much easier to understand.
The guiding principles behind PCI DSS are contained within 6 goals that describe systems and processes to ensure network security.
1 Maintain a Secure System
This involves the basic principles of networking security which means the use of secure passwords and also to always update default passwords when using new systems or hardware. It also requires that businesses install and maintain an up-to-date firewall for their networking environment.
2 Protect Card and Cardholder Information
This goal states that all cardholder data must be held securely and in accordance with established security standards. This can mean digital but also to restrict physical access to any form of cardholder data
Another aspect of this rule covers the use of encryption and security controls when transmitting credit card data across private or public networks during processing or handling.
3 An active Vulnerability Management Program Should Be Maintained
For this goal, businesses should use the latest antivirus software and protect themselves against malware that can compromise their network. This rule also covers the idea that businesses should build and maintain their networks with security as the top concern.
4 Execute Robust Access Controls
Access controls mean who has access to cardholder data within your organization. Those who need access should be the only ones who have access and that access should be controlled, secure, and trackable.
This means that when someone accesses credit card information, there is a record or log of that access. There also needs to be ways of restricting access when needed
5 Conduct Routine Monitoring and Testing of Networks
This goal focuses on the ongoing testing of your own network as well as the maintaining logs of those who access sensitive areas.
6 Regularly Review and Update the Information Security Policy
This means your staff should have a clearly outlined policy for dealing with security. This can include rules and regulations within your organization as well as a central contact for security issues. This contact can be an individual or a department within your business.
Overall, these 6 rules are essential best practices for any business or network whether they handle sensitive customer data or not. So most of these should already be in place inside your business.
The rules help to explain the reasons for PCI DSS and what guiding principles influence the different levels of compliance as well as the SAQs and RoCs required to stay compliant.
Where Can I Get Help With PCI Compliance
If you have remaining questions about PCI compliance or have an issue you are unsure how to resolve, the first step can be to contact your payment processor.
A trusted payment processor like ECS Payments has in-house technical support staff that specializes in network security and other PCI-related issues.
Another option for eCommerce businesses is to take advantage of many of the tools available by your payment gateway to help minimize your risk when handling credit card data.
This can include things like hosted payment pages or customer vaulting. Hosted payment pages are checkout pages hosted by your payment gateway. So all customer credit card information is handled on the gateway’s servers, not your own.
If possible, try to offload as much security responsibility as possible using these tools and features. By doing so, you can make PCI compliance much easier.
For larger businesses, this may not be possible to do entirely. In those cases, you may need to hire a company that specializes in networking security if you don’t have the staff on hand to deal with those issues.
There are technology firms that specialize in PCI compliance and have the required certifications to handle these issues. Although, in cases where a business has its own IT departments or staff, this may not be necessary.
Most modern networks and IT managers will have already implemented many PCI compliance standards. Therefore, the only requirement is to complete the required SAQ or RoC depending on your processing volume or other factors.
Finally, companies can choose an employee to perform an RoC if they undergo the proper training and certification. So this is another option to keep your PCI compliance in-house if you’re a larger organization and fall under level 1 compliance.
More Help With PCI Compliance
Your first stop for help with PCI compliance should be your payment processor and this is why choosing the right payment processor is so critical for businesses of all sizes.
ECS Payments is a trusted name in payment processing and we offer in-house technical and security specialists that can answer all of your questions about PCI compliance.
Contact ECS Payments to speak with one of our payment solutions experts and learn more about PCI compliance and how we can help your business by using the latest payment solutions.
