Practical Ecommerce

What Is PCI Compliance And Should Merchants Be Concerned About It?

The major credit card issuers created PCI (Payment Card Industry) compliance standards to protect personal information and ensure security when transactions are processed using a payment card. All members of the payment card industry (financial institutions, credit card companies and merchants) must comply with these standards if they want to accept credit cards. Failure to meet compliance standards can result in fines from credit card companies and banks and even the loss of the ability to process credit cards.

There are six categories of PCI standards that must be met in order for a retailer to be deemed compliant.

Maintain a secure network

This standard refers to the actual network that cardholder data is exposed to. In the case of an online business, the most obvious vulnerability for this standard is the web server. Luckily, most hosting companies take responsibility for ensuring the security of their networks. However, there is more to this standard than meets the eye. Do you keep cardholder data (even just names) on a laptop that you use on public networks? Does your office network have a firewall installed and reasonable security measures in place?

In short, whenever any personal information about a cardholder is stored on a computer (which is also connected to a network), that computer is behind a firewall and all reasonable measures have been taken to protect that particular network.

Protect Cardholder Data

This category focuses on how cardholder data is stored and transmitted. Business owners that choose to store cardholder information have an obligation to protect that data. Protecting information means that not everyone can access it. Businesses that store actual credit card numbers will often store them as encrypted data, so that even if someone got access to the database they still could not decipher the information in it.

Ecommerce businesses need to be especially critical of the way that cardholder data is transmitted. When a customer makes a purchase on a website, his/her cardholder information is sent across the Internet. During that transmission, cardholder data must be encrypted with at least a 128 bit SSL certificate in order to meet this standard.

Maintain a Vulnerability Management Program

This one is relatively simple, and translates to keeping up to date with your systems. Vulnerability exposure can be minimized by regularly updating computer hardware, operating systems and software. Keeping up to date anti-virus software, as well as running regular virus scans, is another requirement to meet this standard if your systems are susceptible to such vulnerabilities.

Implement Strong Access Control Measures

The most exploited breach in security is the human element, which is harder to protect. Part of meeting PCI compliance means limiting access to cardholder data to only those persons that need to use it. In addition to restricting physical access to cardholder information, business owners are also responsible for assigning a unique identification to each person that does have access.

Regularly Monitor and Test Networks

Networks that store cardholder data be monitored and tested regularly. Regular scans of security measures and processes, monitoring and tracking of network access to cardholder data are required to satisfy this standard. Consider signing up for a security testing and auditing service, such as ScanAlert’s Hacker Safe program, which can help you to identify and fix potential security problems as they arise.

Maintain an Information Security Policy

Considering that humans are generally the easiest part of a system to hack, and also that ignorance does not relieve liability, it’s important to draft and implement a company-wide information security policy. Make sure that your employees know and understand their responsibilities with regards to cardholder data before it becomes an issue.

The first step in PCI compliance is to meet the above standards. Credit card companies and financial institutions validate that vendors are abiding by the regulations, giving them ratings based on their volume of transactions. The rating that a company receives determines the process that they must go through in order to be validated. Next month, we’ll take a look at the four validation ratings, and what each rating means to a company.

Practical Ecommerce

Practical Ecommerce

Bio   •   RSS Feed


Sign up for our email newsletter

  1. Legacy User December 13, 2007 Reply

    Thanks you, this was much more enlightening than the last few PCI articles. Instead of scare tactics from companies that provide PCI consulting, it provides actual information. I am eagerly looking forward to the next article. Thanks and keep up the good work.

    — *me*

  2. Legacy User December 14, 2007 Reply

    Practical eCommerce had a great interveiw with someone on PCI Compliance last month. I'll post the link to the Podcast here:

    AND give directions to navigate to it:
    Click 'Podcasts" along the left navigation
    Click the 'ecommerce conversations' in the middel of the page
    Click "IP Commerce Platform Evangelist Tyler Hannan

    Contributing Editor Pat Callahan is joined by IP Commerce Platform Evangelist Tyler Hannan for a…" from Nov. 2

    — *me*

  3. Legacy User December 17, 2007 Reply

    While it is important to consider all of these factors when discussing PCI, the best way to know that you are hosting data securely is by keeping up with PCI/CISP audits. When a merchant chooses a PCI certified host, their hosting company takes care of all of this for them.

    — *Michelle Greer*

  4. Legacy User December 20, 2007 Reply

    As a quick follow-up to this article, I was prompted recently to take a deeper look into some of the PCI requirement information, and I have found some pretty serious discrepancies with regard to the reporting obligations of Level 4 Merchants (less than 20,000 transactions per year).

    I'm not going to speculate as to what the deal is here, as I am awaiting a response from an authority on the matter as to what the true reporting requirements are. For the most part, I just wanted to point out some of the inconsistencies that I have seen in an effort to root out the truth.

    <a href="">This link</a> and <a href="">this link</a> suggest that Level 4 Merchants are not required to report on their PCI compliance (which does not mean that they aren't responsible for being compliant, only reporting on it annually).

    However, <a href="">this link</a> suggests that Level 4 Merchants are required to annually scan their network in order to prove compliance:

    And finally, there seems to be quite a few sites out there such as <a href="">this link</a> and <a href="">this link</a> that suggest Level 4 Merchants are required to undergo quarterly network scans, which is the same requirement for Level 3 Merchants:

    I'm curious if anyone out there has any experience with this sort of thing. Again, I want to stress that ALL merchants that accept credit cards are obligated to maintain PCI compliance. However, the issue surrounds the reporting requirements for various merchants, as having scans and such is a service that a merchant will have to pay for.

    As I mentioned, I am awaiting a response from someone that I suspect will be able to definitively outline what the reporting requirements are. I'll post what I learn when that happens.

    — *Brian Getting*

  5. Legacy User January 14, 2008 Reply

    I will see if maybe we could find someone.

    — *Michelle Greer*

  6. Legacy User April 3, 2008 Reply

    As a business owner who run 12 e-commerce websites online I found a great way to secure my servers and withstand with the PCI 6.6 Compliance segment.
    After reading & researching about the different solutions I understood that reviewing the code is not an option comparing to install a web application firewall.

    I found a great company that developed a product called dotDefender Web Application Firewall that meets with the PCI 6.6 compliance standard.
    You can check their link at: or

    Since we installed the software on our servers we also noticed that the number of attacks went down significantly.

    Hope thats help,


    — *Tom*

  7. jerome January 21, 2009 Reply

    There is a ton of good info, whitepapers, video, podcasts, quickguides, etc on PCI Compliance at

  8. BfromD May 4, 2009 Reply

    I am trying to become PCI compliant but don’t seem to be able to get a straight answer or I get a different one each time I ask questions. I have a Yahoo hosted store which has 128bit encryption, but the assessment company recommended by my card processor tells me that I must have my IP address scanned quarterly because I can view my customer’s card info online, even though the actual transaction is handled and processed through the Yahoo store system. The assessment company is telling me that someone may be able to hack my local ISP and view the information while I am looking at it. My local ISP says they are secure. Who is giving me the straight scoop, do I really need to have my IP address scanned?

  9. johnelliott24 June 2, 2009 Reply

    I am a PCI and PA-DSS assessor for what I think is the largest QSA firm. I’ll leave their name unknown since this is not official business, but if any of you have special cases you want to discuss, you can email me at I am not looking for work, but discussing cases is good practice for me, so feel free to contact me.

    One key but simple point about PCI, is that if you handle (that includes look at) card holder data, you must be compliant. A lot of people think that hosting a solution gets them off the hook, but think of it from a security standpoint. If you can compromise someone’s card, the card brands want you to be compliant.

  10. CoreDefend January 28, 2010 Reply

    Transferring the risk does not mean that you are exempt from PCI requirements and compliance. I work with organizations with varying Merchant levels. Many systems do not store or process credit card data; but transmit them to a third party system for storage and processing. While this reduces risk, it does not remove the PCI requirement for any system that stores, process, or transmit data.

    I have worked with many ASV, and one word of advice is to scan your systems (which are directly and indirectly) connected to your financial systems on a weekly basis–NOT only at the end of the quarter. Their scanning engine and vulnerability plug-ins are updated many times a week. You do not want to be caught off guard at the last minute with new vulnerabilities.

    Thank you,

    Core Defend Tech.

  11. Vormetric Encryption November 1, 2012 Reply

    Any company that stores, processes or transmits credit card data must comply with the PCI DSS. The major credit card brands of Visa, MasterCard, Discover and American Express aligned their individual policy protection programs to create the PCI DSS, an industry wide framework for protecting consumers.