PCI Compliance

PCI stands for Payment Card Industry Data Security Standard and it is set by the PCI Security Standards Council based in Wakefield, MA in the USA.

It was founded by the 5 main card companies, Visa, Mastercard, American Express, Discover and JCB International as a way to reduce people credit card information from getting into the wrong hands by ensuring anyone who handles card data, does so to a strict set of security standards.

Firstly, if you are one of the majority of SME's (Small to Medium Enterprises) who sell products or services online by credit or debit card and you use a third party provider to do this, such as Authorize.net or Sagepay (if you're in the UK), you don't have to do too much to be compliant other than complete a Questionnaire.

The reason for this is because your payment provider will be compliant, and as long as you're are using their secure pages to process the card details and are not storing the card details yourself that's the majority of PCI compliance dealt with and there is absolutely no need for a PCI scan to be carried out on your website or server.

If you are storing credit card details yourself on your own server or computers then things get a little more complicated, and you will need to carry out several measures in order to be PCI DSS Compliant. This applies no matter how many transactions you do a year, even if it just a few hundred.

Is it the law to be PCI DSS Compliant?

It is not the law, however you could risk upsetting your acquiring bank who may cancel your merchant account and prevent you from taking credit card payments which will obviously be damaging to your business. Also at the acquirers discretion, merchants that do not become PCI DSS compliant may be subject to fines, card replacement costs, expensive audits and public embarrassment should a breach of data occur.

With a little effort and cost to comply with PCI, you greatly help reduce your risk from facing these nightmare consequences.

The 4 Levels Of PCI Compliance

Level 1: You do 6 million + transactions per year

Requires annual onsite review by a QSA (Qualified Security Assessor) and a quarterly ASV (Approved Scanning Vendor) scan

Level 2: You do 1 - 6 million transactions per year

Requires annual onsite review by a QSA (Qualified Security Assessor) and a quarterly ASV (Approved Scanning Vendor) scan

Level 3: You do less than 1 million transactions per year

Requires annual onsite review by a QSA (Qualified Security Assessor) and a quarterly ASV (Approved Scanning Vendor) scan

Level 4: You do up to 20,000 transactions per year

Requires completion of the Self-Assessment Questionnaire and, if needed, a quarterly ASV (Approved Scanning Vendor) scan.

What is Vulnerability Scanning?

If you electronically store cardholder data post authorisation or if your processing systems are connected to the Internet, then a quarterly scan by a PCI SSC Approved Scanning Vendor (ASV) is required. Again if you are not storing credit card data PCI Vulnerability scanning is an unnecessary expense. Although Vulnerability Scanning can help find easy loopholes into your server that hackers may exploit, it is nearly impossible to say it guarantee that hackers cannot get into your server. So, while other companies offer seals displaying "Hacker Proof" or "Hacker Safe" etc, the chances are that these statements are actually untrue. If hackers have been able to hack into the Pentagon, then your server is likely to be an awful lot easier!

Self Assessment Questionnaire and Network Scans

In order to meet PCI Compliance your network needs to be scanned on a quarterly basis. In addition, Level 2, 3 and 4 merchants need to complete a Self Assessment Questionnaire (SAQ) on an annual basis. Level 1 merchants will require an annual onsite audit.

There are four different self assessment questionnaires but you only need to complete the one that’s applicable to your business:

- SAQ A

For merchants in a Card Not Present (CNP) environment where all cardholder data functions are outsourced – this applies to you if you process card payments using PayPoint.net’s payment pages