What is PCI Compliance?

February 16, 2023 in Small Business

Concerns around the collection and use of personal information online are nothing new. But they become all the more concerning when sharing financial information on a website.

As an eCommerce owner, are you doing enough to address and overcome your customers’ concerns? If not, don’t worry – we’ll explain how you can protect your customers by using PCI compliance. We’ll also make sure you understand the ins and outs of PCI compliance, the steps to get started, and the penalties for not meeting PCI standards.

PCI Compliance Meaning

The term ‘PCI compliance’ is short for Payment Card Industry Data Security Standard. It is also referenced as PCI DSS.

PCI compliance was established in 2006 to help protect businesses from credit card fraud. It was established by five of the largest major payment brands (Visa, Mastercard, American Express, Discover, and JCB) in an effort to increase control over where cardholder data is stored, processed, or transmitted for websites that take payment online.

PCI Data Security FAQs

Maintaining proper PCI compliance levels can be difficult for those who aren’t familiar with the subject. An online business needs security controls to protect against data breaches, while also maintaining compliance. These are the most popular questions people ask when looking to set up compliant security systems.

What is PCI compliance in simple terms?

In short, PCI compliance is a set of security standards used to help protect consumers’ credit card data whenever they make a purchase online.

Who needs to be PCI compliant?

Any individual or business that stores, processes, or transmits payment card information needs to meet PCI compliance requirements. This includes small businesses, companies that only take payments over the phone, and even companies that use a third-party payment processing system, like PayPal.

Is PCI compliance required by law?

While PCI compliance is not a federal law in the United States, it is strongly enforced by the major card brands listed above. It is a security standard that applies to all individuals, businesses, or organizations that accept, transmit, or store cardholder data.

Meeting PCI requirements can be a very time-consuming and complicated process. In addition, maintaining compliance can be even more challenging. There are quarterly and annual assessments organizations need to complete on an ongoing basis to maintain compliance.

However, only 27.9% of organizations are fully compliant with these requirements. One of the roadblocks is the extensive questionnaire individuals need to complete to get started, as well as the ongoing validation process.

As a result, many businesses that should be compliant are not. Those who do not follow PCI DSS requirements might be subject to very expensive fines that could result in bankruptcy.

What happens if I don’t become PCI compliant?

Non-compliance may subject you to penalties and hefty fines. More often than not, the fined bank will pass this fine to the merchant, terminate your relationship with the bank, or increase the fee. Large fees can be devastating to a small business and might even result in the website owner going out of business.

How is cardholder data defined?

According to the Payment Card Industry Security Standards Council (PCI SSC), cardholder data consists of the full primary account number (PAN), plus any of the following: cardholder name, expiration date, and/or security code. The security code is the three- or four-digit number on the back of the credit card.

What if I operate a small business and only accept a few credit card payments a year?

Regardless of whether you are a small, one-person business or a large enterprise, if you accept, store, and transmit cardholder data, then you need to be PCI compliant. The same holds true for whether you collect $20 in payment per year or $20,000,000 – meeting PCI compliance standards is a must.

Additionally, don’t assume you are too small to be hacked. In fact, small and medium-sized businesses faced twice as many cybersecurity threats in 2021 vs. the previous year.

Are eCommerce websites the only ones that need to be PCI compliant?

While it’s true that eCommerce stores need to be compliant, they are not the only businesses that need to comply with PCI standards. PCI DSS applies to any and all websites that store, process, or transmit cardholder information.

Even if you do not “sell” anything online, your business might still be required to follow the requirements. For example, in order to start a free trial with Netflix, individuals are required to input their payment information as part of the trial process. While the customer is not being charged during the free trial period, Netflix is storing their payment card data, and therefore needs to protect that data via PCI compliance.

Another example is a doctor’s office that allows their patients to pay for their visits online through a payment portal. Although these doctors aren’t necessarily “selling” anything online to their patients, they are still expected to protect their patients’ financial information.

If I only accept credit cards over the phone, do I need to be PCI compliant?

Regardless of if you store information via your website database or elsewhere, all businesses that store, process, or transmit payment data must meet PCI standards.

If I outsource my credit card processing, do I need to be PCI compliant?

If you use third-party processors, like PayPal, to collect credit card information, then you still need to comply with the standards. For example, if your business receives charge-back and refund information, it is important to make sure this information is protected.

If my hosting provider is PCI compliant, does that make me compliant?

In short, the answer is no. As an eCommerce or website owner, you are ultimately responsible for the security of your website, which includes meeting compliance standards. Your host does not automatically provide you with PCI compliance. In fact, most shared hosting environments are not compliant.

The average website experiences 63 attacks per day on average. With this in mind, it is important to understand the differences between the security your web host offers versus the security you’re responsible for. Your web host ensures that your website is being hosted on a secure server; however they are not responsible for protecting your website from hackers, or ensuring you are PCI compliant.

How do I get started with the PCI compliance process?

First, you will start by identifying the self-assessment questionnaire you are required to complete. The self-assessment you complete will depend on your business and how you accept payment online. For example, eCommerce merchants who outsource payment processing will complete a different questionnaire than merchants who take payment over the phone.

What do I do after I identify the correct self-assessment questionnaire?

Once you’ve identified the correct questionnaire, it is time to complete your questionnaire. It’s important to keep in mind that the questionnaire is 280 questions and may take several hours to complete.

However, there are companies that specialize in making the PCI DSS compliance questionnaire process as easy as possible by providing a simplified questionnaire. These companies will use logic to pre-populate responses for you by section, which may save you a significant amount of time.

In fact, depending on the type of questionnaire you’re completing and the company you’re getting help from, you may only need to answer 20 percent of the 280 questions.

Additionally, the application asks a series of business process, policy, and technical questions about your existing credit card security practices. If you need to make changes to your existing policies or need new policies, some security companies will customize a policy for you that you can download instantly.

What do I do after I complete the questionnaire?

Once you complete the questionnaire, then an initial and quarterly vulnerability scan by an approved scanning vendor may be required to maintain compliance. This vulnerability scan will check for any potential security weaknesses in your website and hosting server configuration.

According to pcicomplianceguide.org, if you qualify for any of the following SAQs under version 3.x of the PCI DSS, then you are required to pass a vulnerability scan:

  • SAQ A-EP
  • SAQ B-IP
  • SAQ C
  • SAQ D-Merchant
  • SAQ D-Service Provider

What is a vulnerability scan?

A vulnerability scan, also referred to as a website scan, is designed to complete a comprehensive scan of your website to identify vulnerabilities. A website vulnerability is a weakness or misconfiguration in a website or web application code that allows a cybercriminal to gain some level of control of your site. When vulnerabilities are exploited, cybercriminals can infect the website with malware. Malware, short for malicious software, can be used to harm your website and your website visitors, like stealing your customers’ information or unknowingly redirecting them to a malicious website.

How often do I need a vulnerability scan to meet PCI compliance standards?

If you are required to complete a vulnerability scan, then you will need to make sure you complete a scan every 90 days, or once per quarter. For the sake of convenience, it’s recommended you work with a company that can both help you complete your questionnaire and scan your website each quarter to ensure you are regularly complying with all standards.

As an additional security best practice, it’s best to scan your website on a daily basis to help identify vulnerabilities and malware as soon as they hit your website. This way, you never have to worry about whether or not you’re going to meet compliance standards each quarter. This will also ensure your website and customer data are protected from malicious cyber activity each and every day.

Do You Meet the PCI Security Requirements?

As an eCommerce website owner, it is your responsibility to ensure a safe shopping experience for your customers. SiteLock can help you become PCI compliant fast by providing a simplified self-assessment questionnaire. Not only that, but your website can be scanned for vulnerabilities the very same day. Contact SiteLock security experts today to learn more.

Latest Articles
Follow SiteLock