Payment card industry compliance is confusing for many ecommerce merchants. But it potentially affects every merchant that accepts credit card payments. Failure to understand the PCI compliance standards could result in higher merchant account fees and fines from the credit card issuers.
Merchants oftentimes have similar general questions on PCI compliance. We posed some of them to Tim Erlin, principal product manager for nCircle, a security consulting and compliance firm that offers PCI-related services, among other compliance services. Those questions, and his answers, are below.
What is PCI?
Erlin: “PCI generally refers to the Payment Card Industry Data Security Standard, or the PCI DSS. This standard was developed by the PCI Security Standards Council, which is a consortium of the major credit card brands (Visa, Mastercard, American Express, and Discover). It represents the combination of two previous separate programs: the Visa Cardholder Information Security Program (CISP) and MasterCard’s Site Data Protection program (SDP). The goal of the PCI DSS is to specify a common standard for protecting cardholder data from compromise.”
How does PCI compliance affect my ecommerce business?
Erlin: “If you accept credit cards as a form of payment, you are required to be compliant with the PCI DSS. In most cases, smaller merchants can achieve compliance by using compliant shopping carts and payment gateway services. If, however, you choose to collect and store credit card data as part of your business, you’ll need to carefully consider the requirements of the PCI DSS.”
“Larger volume merchants (more than 20,000 credit card transactions annually) will need to complete some specific validation requirements to demonstrate compliance with the PCI DSS. The requirements range from filling out a self-assessment questionnaire to an onsite audit from a qualified auditor. You can find out more details about merchant levels here.”
Where can I learn more about PCI?
Erlin: “The PCI Security Standards Council is the authoritative source for information. You can find their website at http://www.pcisecuritystandards.org. You can also look to the card brands themselves for additional information.”
My annual sales are very small. Do I still have to comply with PCI?
Erlin: “Every merchant that accepts credit cards must comply with PCI, but smaller merchants often achieve compliance by using compliant services. If you don’t store, transmit or process any credit card data, then your systems are out of scope for PCI DSS compliance.”
How do I know if my ecommerce business is PCI compliant?
Erlin: “Do you store, transmit or process credit card data? If the answer is yes, then you are required to fill out a self-assessment questionnaire to demonstrate PCI compliance. You may be required to perform other work to demonstrate compliance depending on your merchant level.”
“If you do not store, transmit or process credit card data, but do accept credit cards through a payment gateway or merchant account provider, then you should validate whether your providers are PCI compliant.”
What happens if my business is not PCI compliant?
Erlin: “If your business is not PCI compliant there are various measures that the card brands can take, ranging from warnings and monetary fines to revoking your ability to process transactions entirely. More importantly, the PCI DSS allows you to assure your customers that you’re protecting their credit card data appropriately.”
If my business is PCI compliant, does it reduce my insurance liability?
Erlin: “Generally, no. If you’re not compliant and experience a breach, however, you can be open to legal action from the affected customers.”
Will PCI compliance reduce my business’s merchant account fees?
Erlin: “This isn’t generally the case. In fact, it can increase the cost. Merchant account providers have to demonstrate their own PCI compliance, and they can and have passed that cost onto their customers.”
Where can I find a list of shopping carts and hosts that are PCI compliant?
Erlin: “Unfortunately, there is no single list of compliant shopping carts, hosts or other providers. However, because PCI compliance is a basic requirement for accepting credit card payments, all of the most common hosted shopping carts are PCI compliant. Choose the shopping cart that has the features and functions you need, then validate that their service is PCI compliant.”