Obtaining PCI compliance for your eCommerce website can be a simple process or extremely intensive. PCI-DSS, Payment Card Industry Data Security Standard, consists of twelve compliance areas that everyone who processes credit cards online must adhere to. Many merchants remain unaware of the pci compliance obligations from the data security standard. This article focuses on the how you can implement this standard in your business to become compliant. Specifically, on the technical aspects on how your eCommerce website processes & stores customer’s credit card information.
Becoming compliant in the twelve areas of the PCI standard, also known as the digital dozen, usually encompasses changes to your company’s technical / infrastructure areas as well as changes to company policy. The following lists the twelve requirements:
- Requirement 1: Install and maintain a firewall configuration to protect cardholder data (technical)
- Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters (technical & policy)
- Requirement 3: Protect stored cardholder data (technical & policy)
- Requirement 4: Encrypt transmission of cardholder data across open, public networks (technical)
- Requirement 5: Use and regularly update anti-virus software (technical & policy)
- Requirement 6: Develop and maintain secure systems and applications (technical)
- Requirement 7: Restrict access to cardholder data by business need-to-know (technical & policy)
- Requirement 8: Assign a unique ID to each person with computer access (technical & policy)
- Requirement 9: Restrict physical access to cardholder data (technical & policy)
- Requirement 10: Track and monitor all access to network resources and cardholder data (technical & policy)
- Requirement 11: Regularly test security systems and processes (technical)
- Requirement 12: Maintain a policy that addresses information security (policy)
Meeting all twelve requirements encompasses a lot of effort. Luckily, there are different levels of compliance depending on how you process transactions online. Through these different levels, the responsibility of meeting all twelve “PCI compliance requirements for an eCommerce website” can be shared between you and whoever you use for your credit card processor and web hosting company. The 3 validation types for eCommerce websites are discussed below:
Self Assessment Questionnaire for PCI Compliance
Every merchant is required to complete one of the four Self Assessment Questionnaires (SAQs) to become certified as PCI compliant. The simplest method to become compliant is to determine which SAQ you need to fill out and then figure out how to meet the requirements in that questionnaire. There are five SAQ validation types that determine which of the four questionnaires to complete to show your compliance.
The three SAQ validation types that affect online eCommerce systems are SAQ validation types 1, 4, and 5. Type 1 is where you don’t store or transmit any card data over the internet, type 4 is where you transmit card data but don’t store it, type 5 is where you transmit & store credit card data. Most people will be in type 4. As discussed below, if you are in type 5, you’ll probably want to move to type 4 unless you have a big budget.
Companies seeking to be in this validation type can not store or transmit any cardholder data. The customer must be redirected to the service provider’s website to complete the purchase.
Example: Someone wants to buy something on your website, they put the item in their shopping cart, select checkout and they get redirected to Paypal to complete their payment including entering in their credit card info. Paypal then sends a response to your shopping cart confirming the validity of the transaction. No credit card or personal information is transmitted from your shopping cart system to the payment processor. This can have a detrimental effect on your sales conversions as customers do not like confusing payment methods. We highly recommend making type 4 validation your goal.
SAQ validation type 1 does not require PCI compliant web hosting, however it may be necessary to complete the SAQ-A if your credit card processor requires it. Additionally, if you qualify for type 1 validation you will not be required to obtain quarterly PCI vulnerability scans.
Additionally, absolutely no cardholder data can be stored to qualify for this SAQ validation type.
Example of a qualifying SAQ validation type 4 is an X-Cart or Magneto shopping cart using a payment gateway such as Authorize.net or Paypal’s Website Payments Pro to process credit card transactions. Cardholder data is transmitted to a PCI compliant third-party for processing and the shopping cart is configured not to store any credit card data.
The key here is that the credit card information is entered at the merchant’s website, giving the customer a seamless shopping experience. Whereas, validation type 1 must send the customer to a third-party website for payment collection such as paypal or 2checkout.
SAQ validation type 4 requires that all third-party credit card processors that you use are certified as PCI compliant.
SAQ validation type 4 merchants must complete the requirements of the SAQ-C. In addition to filing out the SAQ-C, you are required to ensure the payment processor is PCI compliant. Paypal, and most others should have this information online. PCI compliance is also required by your web hosting provider and data center.
Due to additional complexities introduced by the SAQ-C requirements, including the fact that service providers must also be certified PCI compliant, traditional shared hosting options become impossible. Quarterly PCI website security scans are required for merchants that fill out a SAQ-C.
Merchants identifying themselves as eligible for validation type 5 must comply with the requirements in SAQ-D. These are the same requirements that are required of PCI certified service providers and are typically out of the financial and technical reach of most small eCommerce retailers.
The SAQ-D requirements for PCI compliance are a very serious undertaking for even highly skilled IT professionals. Lawyers, CPAs, and other legal means may often be needed to draft PCI audit policies and procedures. The cost of validation type 5 PCI compliance can easily run over $50-100k. The best advice one can give to a SAQ validation type 5 merchant is, if there is a way to become type 4 merchant, do it.
The primary factor that distinguishes type 4 from type 5 for eCommerce merchants is the storage of cardholder data. Unless this is absolutely necessary it should be removed from the business model.
PCI Compliance Conclusion & Recommendations
Obtaining PCI compliance is something you must do if you want to run an eCommerce website. The easiest method achieve compliance is to abstain from electronically transmitting and storing credit card information and have a third party take care of your customer’s data. We find that method to produce fewer sales conversions as customers have to leave your website to complete their order. Our recommendation is to fall into the type 4 SAQ validation type. It allows you to complete the entire order transaction on your website, just as long as you don’t store any credit card information in your database. If you currently store credit card information, you should change your business processes unless you have the means to fulfill the type 5 SAQ validation type.
Utropicmedia has PCI-compliant dedicated servers ready for your eCommerce needs. Our data center is PCI compliant as we have robust access controls in place to restrict physical access to the equipment as well as firewalls that monitor and block malicious internet traffic. Contact us to find out more about our PCI-compliant ready managed servers.