Want to work with us? We're on the lookout for digital experts.

We're hiring

PCI Compliance - Ecommerce

Web Bureau

27 January 2011 by Web Bureau

PCI Compliance for Ecommerce Security

What is PCI DSS? What is PCI compliance?

The Payment Card Industry’s Data Security Standard (PCI DSS) is a set of comprehensive requirements for enhancing payment account data security by creating a strong, systematic way for merchants to secure cardholder data. It was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., to help facilitate the broad adoption of consistent data security measures on a global basis. This multifaceted security standard includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures to help organizations proactively protect customer account data.

Why is PCI compliance important to ecommerce businesses?

eCommerce companies mainly perform “card-not-present” electronic transactions. Because these transactions take place via the Internet through an online store, credit card numbers are especially vulnerable to theft by cyber criminals.

What are some common ways cardholder information security is compromised in an online commerce environment?

If credit card numbers are not encrypted or tokenized (a data security model whereby surrogate values or “tokens” are substituted for actual credit card numbers), they can be “sniffed” by computer programs remotely. Here’s how it works: A cyber criminal unleashes a “sniffer” program into cyberspace. When the program recognizes a credit card number format it “lifts” the number if it’s not encrypted or tokenized. Sniffer programs typically steal credit card numbers out of applications and databases. These stolen credit card numbers are then sold on the black market.

Who must comply with PCI standards?

Any company that accepts, processes or stores credit card numbers must comply with PCI DSS. This includes credit card processors and all merchants, from small Internet stores to the world’s largest retail corporations, who accept credit cards, online or offline. The number of credit card transactions a merchant performs annually determines the specific compliance requirements that must be met. The PCI Security Standards Council provides guidance to software vendors and others to help them develop secure payment applications and it maintains a list of Validated Payment Applications.

Are PCI standards the same for large enterprises as small and medium sized businesses?

PCI compliance requirements vary depending on annual transaction volume. Merchants fall into one of four classifications, called Levels.

For example, under Visa’s definitions:

  • Level 1 merchants process over 6 million Visa transactions annually (all channels).
  • Level 2 merchants process 1 million to 6 million Visa transactions annually (all channels).
  • Level 3 merchants process 20,000 to 1 million Visa ecommerce transactions annually.
  • Level 4 merchants process less than 20,000 Visa ecommerce transactions annually. In addition, all other merchants processing up to 1 million Visa transactions annually are classified as Level 4 merchants.

What is required of merchants to comply?

Specific compliance or “validation” requirements are set by the individual card brands. For example, Visa’s compliance requirements are slightly different for each level as follows:

  • Level 1 merchants must complete an Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA); complete a quarterly network scan by an Approved Scan Vendor (ASV); and file an Attestation of Compliance Form.
  • Level 2 and Level 3 merchants must complete an Annual Self-Assessment Questionnaire (SAQ), complete a quarterly network scan by an ASV and file an Attestation of Compliance Form.
  • Level 4 merchants are encouraged to complete an annual SAQ and have an ASV perform a quarterly network scan, if applicable. Compliance validation requirements are set by the acquirer.

In addition, under Visa’s requirements, any merchant that has suffered a breach that resulted in an account data compromise may be escalated to a higher validation level.

The PCI Security Standards Council maintains links to each of the six credit card companies’ — American Express, Discover Financial Services, JCB International, MasterCard Worldwide, Visa Inc. and Visa Europe — requirements on its website.

What are the risks associated with non-compliance?

PCI DSS compliance is an important step for protecting cardholder information from theft, which, in turn, can help merchants preserve their reputations, protect their brand and avoid lawsuits stemming from a credit card breach. In addition, merchants who do not comply with PCI DSS set themselves up for a host of penalties imposed by the credit card companies, ranging from punitive fines to termination of the right to accept credit cards. Non-compliant merchants, who suffer a breach, also forfeit safe harbor protection.

Grow your businessStart a project with us today.

This site uses essential cookies for parts of the site to operate and have already been set. Find out more about how we use cookies and how you may delete them. You may delete cookies, but parts of the site will not work.