Practical Ecommerce

PCI Compliance: Frequently Asked Questions

Payment card industry compliance is confusing for many ecommerce merchants. But it potentially affects every merchant that accepts credit card payments. Failure to understand the PCI compliance standards could result in higher merchant account fees and fines from the credit card issuers.

Merchants oftentimes have similar general questions on PCI compliance. We posed some of them to Tim Erlin, principal product manager for nCircle, a security consulting and compliance firm that offers PCI-related services, among other compliance services. Those questions, and his answers, are below.

What is PCI?

Tim Erlin
Erlin: “PCI generally refers to the Payment Card Industry Data Security Standard, or the PCI DSS. This standard was developed by the PCI Security Standards Council, which is a consortium of the major credit card brands (Visa, Mastercard, American Express, and Discover). It represents the combination of two previous separate programs: the Visa Cardholder Information Security Program (CISP) and MasterCard’s Site Data Protection program (SDP). The goal of the PCI DSS is to specify a common standard for protecting cardholder data from compromise.”

How does PCI compliance affect my ecommerce business?

Erlin: “If you accept credit cards as a form of payment, you are required to be compliant with the PCI DSS. In most cases, smaller merchants can achieve compliance by using compliant shopping carts and payment gateway services. If, however, you choose to collect and store credit card data as part of your business, you’ll need to carefully consider the requirements of the PCI DSS.”

“Larger volume merchants (more than 20,000 credit card transactions annually) will need to complete some specific validation requirements to demonstrate compliance with the PCI DSS. The requirements range from filling out a self-assessment questionnaire to an onsite audit from a qualified auditor. You can find out more details about merchant levels here.”

Where can I learn more about PCI?

Erlin: “The PCI Security Standards Council is the authoritative source for information. You can find their website at You can also look to the card brands themselves for additional information.”

My annual sales are very small. Do I still have to comply with PCI?

Erlin: “Every merchant that accepts credit cards must comply with PCI, but smaller merchants often achieve compliance by using compliant services. If you don’t store, transmit or process any credit card data, then your systems are out of scope for PCI DSS compliance.”

How do I know if my ecommerce business is PCI compliant?

Erlin: “Do you store, transmit or process credit card data? If the answer is yes, then you are required to fill out a self-assessment questionnaire to demonstrate PCI compliance. You may be required to perform other work to demonstrate compliance depending on your merchant level.”

“If you do not store, transmit or process credit card data, but do accept credit cards through a payment gateway or merchant account provider, then you should validate whether your providers are PCI compliant.”

What happens if my business is not PCI compliant?

Erlin: “If your business is not PCI compliant there are various measures that the card brands can take, ranging from warnings and monetary fines to revoking your ability to process transactions entirely. More importantly, the PCI DSS allows you to assure your customers that you’re protecting their credit card data appropriately.”

If my business is PCI compliant, does it reduce my insurance liability?

Erlin: “Generally, no. If you’re not compliant and experience a breach, however, you can be open to legal action from the affected customers.”

Will PCI compliance reduce my business’s merchant account fees?

Erlin: “This isn’t generally the case. In fact, it can increase the cost. Merchant account providers have to demonstrate their own PCI compliance, and they can and have passed that cost onto their customers.”

Where can I find a list of shopping carts and hosts that are PCI compliant?

Erlin: “Unfortunately, there is no single list of compliant shopping carts, hosts or other providers. However, because PCI compliance is a basic requirement for accepting credit card payments, all of the most common hosted shopping carts are PCI compliant. Choose the shopping cart that has the features and functions you need, then validate that their service is PCI compliant.”

Practical Ecommerce

Practical Ecommerce

Bio   •   RSS Feed


Sign up for our email newsletter

  1. Derek Beckwith March 27, 2009 Reply

    Is PCI compliance a toothless tiger?

    The massive data breach announced in January by Heartland Payment Systems continues to raise significant questions regarding the state of security in the payment industry. As many as 100 million credit card and debit cards have been compromised, impacting unknown millions of consumers, 175,000 merchants and 600 institutions. One of the most pressing questions of the day is the relevance of the Payment Card Industry Data Security Standard (PCI), which is an industry-driven standard meant to ensure the safe handling of sensitive information.

    Leading up to the breach, Heartland listed on its own Website that it was certified as being PCI-compliant last April. “Obviously, Heartland was not in compliance at the time of the breach,” explained Steven Bearak, CEO of Identity Force ( “This lapse in compliance is not just troubling; it causes many to wonder if the PCI standard is in fact a toothless tiger.”

    Heartland is still in operation. Visa, while taking Heartland off of its “compliant” list, continues to accept transactions processed by the company. And a top analyst at Gartner Research just this week is urging companies that do business with Heartland Payment Systems Inc. and RBS WorldPay Inc. (another breached processor) not to switch to other payment processors.

    Heartland has even gone so far as to threaten to sue companies that try to take its business away by raising questions about the effectiveness of its security systems.

    What is clear is that millions of people and merchants have been put at risk, and little is being done voluntarily to mitigate the damage. What good is PCI compliance if there are no penalties involved for the major institutions that claim compliance and are not?

    Security is only as strong as the weakest link. PCI compliance certification is not a guarantee against breaches. Organizations should prepare accordingly.

  2. e-onlinedata Erin March 31, 2009 Reply

    Excellent Point Derek!

    Everybody’s talking about Payment Card Industry (PCI) compliance and, if you’re an e-commerce merchant, you probably know by now that you have to bring your online store into compliance with the PCI Data Security Standard (DSS). But what does that mean to you? There’s a lot of confusion about what, exactly, you have to do to achieve full compliance.

    One big myth that’s spreading among merchants is that payment gateway, shopping cart or Web host compliance alone is all it takes. Get that established and you’re all set. Wrong! That’s a common misconception – and a potentially expensive one once PCI starts issuing fines and penalties against the noncompliant.

    Think of it this way: if your house has four doors and only three of them are locked, is it secure against intruders? Of course not. Any one of those locks is a great start, but no more than that. Until all four doors are locked up tight, that house will never be secure. The same goes for your e-commerce site. A compliant payment gateway, shopping cart, or Web host by itself is good to have but – without compliance in all areas – you’ve got a virtual unlocked door. With a great big welcome mat for intruders just outside.

    The good news is that there are companies out there that can help. Just as there are Web sites that can guide you through completing and filing your taxes, there are many – like those of qualified security assessors (QSAs) and approved scanning vendors (ASVs) – that can walk you through the necessary steps to certified PCI compliance. It’s a complex but ultimately understandable process.

    The Road to Compliance – All Gain, Little Pain

    The PCI standards are pretty clear. Here’s what they are and some actions you’ll have to take to meet them:

    * Build and maintain a secure network: take steps like installation and maintenance of firewalls, and ensure that vendor-supplied default passwords are changed.

    * Protect cardholder data: be able to show that you’re protecting stored cardholder data and properly encrypting it for any transmission through networks.

    * Maintain a vulnerability management program: use and update anti-virus software and ensure that all systems and applications are secure.

    * Implement strong access control measures: take steps to definitively restrict internal access to cardholder data to need-to-know areas/personnel, establishing unique passwords and other identifiers.

    * Regularly monitor and test networks: establish a program for testing all security systems and processes; monitor and keep records of all tests run and all access to networks and cardholder data.

    * Maintain an information security policy: develop a policy and keep it updated as business conditions change.

    Easy, right? Okay, it may seem like anything but. No worries – just take a breath and do what it takes to assess where you stand.

    Here’s What You Have To Do

    If you’re what’s called a Level 3 (20,000 to 1,000,000 annual transactions) or Level 4 (less than 20,000 annual transactions) merchant, you’re not required to conduct an on-site remediation. You do, however, have to complete an annual online self-assessment questionnaire and quarterly full-network security scans (remember those approved scanning vendors or ASVs mentioned earlier? You’ll need one for this).

    The only Level 3 and 4 merchants not required to conduct external scans are those who enter data through virtual terminals directly into payment gateways that are certified as compliant. You’ll want to verify both that this category fits you and that your gateway is compliant – a faulty assumption here will cost you money. Once you’ve confirmed those facts, be aware that you’re still responsible for completing an annual online self-assessment.

    For any of these requirements, consulting a qualified security assessor (QSA) or approved scanning vendor (ASV) will make the job a lot easier. You can find a list of ASVs here:

    Help – I’m One of the Little Guys!

    If you’re running a reasonably big operation with qualified IT people at your beck and call, this probably feels pretty manageable by now. But what if you’re a very small, say low-end Level 4, merchant with no technician on-site to fix any vulnerabilities you discover? Fear not – just take a good, hard look at your vendors.

    First, remind yourself of who they are, because there may be more than you commonly communicate with. Look at your hosting provider, shopping cart, payment gateway and any other providers. Are they all certified PCI compliant, ensuring that all your virtual doors are locked up tight? If not, it might be time to find yourself ones that are. For the smallest merchants, that’s one way to keep this simple – and yourselves protected

    The Pot of Gold at the End of the PCI Rainbow

    If you find yourself getting frustrated on the road to PCI compliance, take a minute to remember the big picture. The Payment Card Industry is taking these dramatic steps to protect cardholders, yes, but also merchants. Can you afford the damage to your business a major security breach would cause? You might think you’re a small target but – guess what? – those are hackers’ favorite kind. After all, when you’re planning a robbery, do you go after Fort Knox or that super-busy Mom and Pop store down the street? You know, the one with four doors …but only three that are locked.

  3. tvcnet March 17, 2010 Reply

    You can’t be PCI compliant unless your website hosting company provides PCI compliant hosting as part of their service as well. Luckily, PCI compliant website hosting is not difficult to find.

    Companies like Volusion, Dydacomp and TVC.Net are PCI compliant out of the box, so the first step to ensuring your online business and website is PCI compliant is to call your web host and ask them if their servers meet PCI compliance standards.

    If your web host is not PCI compliant you should consider moving off to one that is (ASAP).

  4. blue225 March 27, 2010 Reply

    I hope you can answer this question.
    If you have a custom shopping cart use gateway to securely through SSL submit order to the gateway and just get back the order confirmation, and you do NOT store name on card, CC#, ex. Date or CVV2. And if the hosted server is also passed quarterly scan and you are Level 4 and filled out the yearly questionairre are you not considered compliant?

    I guess the only factor here is your custom cart you’ve worked so hard to build and need to keep it that way for customization reasons, do you have to do anything else for PCI DSS specific to the cart? What exactly is involved with a custom cart that is used by only one site and only transmits CC info to gateway?

  5. Thu January 17, 2012 Reply

    Another note to add to tvcnet’s comment – you need to do your part to ensure your PCI compliant host is actually PCI compliant. While anyone can fill out the self-questionnaire, if your host hasn’t been independently PCI audited, you can’t be sure they can provide fully compliant services.

  6. Marc Funaro March 17, 2012 Reply

    So here’s a question that may bake some noodles…

    As a web applications developer AND a small web host, we were confronted recently by the "PCI Tiger" (toothless or not), where our flagship product and it’s users were deemed at risk because the app and our hosting service "transmit, store, or process" cardholder data.

    Our solution has been to resort to using a Hosted Payments solution… this way cardholder data never touches our system… upon checkout, the user is sent to a page hosted by a PCI-compliant vendor where they can enter cardholder data, and they are subsequently returned to our system upon completion. Sounds great, right?

    Hold on there, sports fan… let’s think about this.

    Let’s say that despite all our other due diligence efforts to protect our service and software, someone hacks our network and/or our application, and where the user is supposed to be redirected to a PCI-compliant Hosted Payment page, they are somehow redirected to some jerk’s "pretend" payment page? What’s the liability THEN? We are supposedly " out of scope for PCI DSS compliance" but still there’s a real security breach at play. Granted, given the smaller size of our operation, such a breach would have a minimal effect as far as actual dollars of liability, and it would probably be noticed fairly quickly that something was awry… but still… how deep can the litigation/liability rabbit hole go? How many entities can be affected when protection of code can only be reasonably guaranteed up to a certain point? We can’t all be security experts, hence the reason we outsource to the Hosted Payments solution… but what if that still gets bypassed?

    Are we ever truly in the clear, even when we simply lay a finger on eCommerce just enough to send someone to someone else’s checkout counter?

  7. Sarita Gupta July 9, 2013 Reply

    I do not store or process credit card info. I do however accept credit cards.
    I was not notified of the quarterly PCI compliant fees charged. They were in fine print of my contract. Please help me answer the following questions:
    1. How can I get them (PCI compliance fees) waived?
    2. I did fill an online survey and am PCI compliant….Thus is there any provider that does not charge for PCI compliance?
    3.Do you have a provider that you can suggest is the lowest in all fees?
    with infinite gratitude and love for all that you do,