You are going to run your online business but don’t know much about website security. What should you do and what you shouldn’t? In this blog, we talk about online payment security rules for businesses. Any company that processes or interacts with credit cards needs to be fully aware of the PCI Data Security Standards. It is obligatory that merchants comply with the PCI guidelines to protect themselves and their customer’s information.
We will go on to explain what is PCI DSS, why it is important to merchants, who have to obey and which exact requirements for each level of organization. Let’s get started!
What is PCI DSS?
PCI DSS (as a shortcut of Payment Card Industry Data Security Standard) is a set of security policies and standards aimed at two main purposes:
- Optimizing the security of card transactions for all of the card types from debit, credit cards to cash transactions
- Protecting the personal information of cardholders from misuse.
The administrator of PCI DSS is the Payment Card Industry Security Standards Council (PCI SSC), which was founded on September 7, 2006. This organization is founded by major payment card companies including Visa, MasterCard, American Express, Discover and JCB. By building this council, they wanted to manage the future of the Payment Card Industry which highly focuses on enhancing payment account security via the transaction procedures.
To read more documents regarding PCI DSS, click here.
Why is PCI DSS Compliance Important?
1. To prevent frauds and hackers of customers data
Obviously, when you do not hold customer data on your site, there is no chance for bad guys to steal that information. E-Commerce customers’ data is often valuable because it directly affects your shoppers’ bank accounts. Hence there are many hackers out there trying to steal and misuse those data. Don’t give them the tool and opportunity to harm your customers as well as your business.
2. To build a trustworthy image for your brand
It is undeniable that PCI DSS compliance makes your brand more trustful in customers’ eyes. They will choose to buy from the vendors that ensure their information security, and PCI is strong proof for your effort. You can feature the PCI DSS certificate on your website, in your Terms and Conditions or a blog post so that first time visitors have a good feeling about your credibility. That will absolutely encourage them to trust you and make sales faster.
3. To avoid storage of unnecessary data
By not storing customers’ card information on your server, you secure them even more for hackers can not find everything by just hacking a single. The more customers you have, the more data you need to collect and manage. Hence, saving costs is also another benefit when complying with PCI law.
And last but not least, PCI DSS is the thing you MUST do, so you haven’t any choice but to obey it to grow your business in the long term.
To whom PCI DSS is applied?
The PCI DSS is applied to ALL organizations in any business size and with all transaction volumes. Those companies are those who accept, transmit or save cardholder data. One noticeable thing is that the parties who must comply with the PCI DSS are payment providers and their business customers, not the PCI council themselves.
So why can I say that organizations of all sizes have to comply with this policy? Actually, PCI compliance is classified into four levels, according to the yearly volumes of credit or debit card transactions of a company. These 4 levels also decide what corresponding businesses have to do to be compliant with the laws.
4 PCI compliance levels
Level 1:
This level applies to merchants having more than six million worldwide credit or debit card transactions each year. This kind of organization must be audited once a year conducted by an authorized PCI auditor. Moreover, they have to submit to a PCI scan by an Approved Scanning Vendor (ASV) each quarter.
Level 2:
This level implements businesses processing from one to six million real credit or debit card transactions per year. These businesses are committed to doing an assessment annually using a Self-Assessment Questionnaire (SAQ). Furthermore, a PCI scan may be required every three months.
Level 3:
This next level PCI compliance is applied for organizations with total card transaction volumes between 20,000 and one million each year. They must complete a yearly assessment by submitting the relevant SAQ. A quarterly PCI scan can also be required.
Level 4:
The lowest level of PCI compliance belongs to the organizations with less than 20,000 e-commerce transactions yearly, or those who process up to one million real-world transactions. These companies have to do a yearly assessment using the relevant SAQ and also a quarterly PCI scan may be required.
What are the PCI Standards?
To become compliant with PCI DSS, organizations first need to understand all PCI requirements and standards. This law proposes 12 requirements that mainly focus on 6 goals. All of those are standards and benchmarks for every business to follow.
| Goals | Requirements |
| Build and manage secure network |
|
| Ensure secure card holder data |
|
| Maintain vulnerability management program |
|
| Control access to card data |
|
| Conduct network monitoring and testing |
|
| Ensure information security |
|
How can I comply with the PCI DSS?
1. Totally understand your payment process
The first and foremost thing to do is to make sure that you know how your payment processing works. Considering all the steps in that process whether it is necessary or not. Normally, a complete payment procedure includes capturing, storing, processing or transmitting card data. If you are entirely operating on those data and activities, you should think about how to minimize them. And the following two approaches are recommended.
2. Fully outsource to payment service providers
The highest secure method is to use a fully hosted solution. That means you can outsource your payment transactions to a Payment Service Provider. In case the card data is outsourced, they are processed separately outside your environment. As a consequence, all actions from capturing, processing to storage and transmission of card data are entirely eliminated from your websites.
To-to list if you want to count on a fully hosted solution:
- Record the payment transaction journey of all systems, applications, and environments that card data used
- Find some payment gateway providers who provide the hosting environment, shopping cart, and payment application. (Stripe,
- Please verify that you are not unknowingly storing or transmitting any card data, therefore, making you non-compliant. There are various products on the market that can help you validate this, including a simple PEN Test (Requirement 11.3). This test will help provide the evidence that card data does not touch your environment when the payment is being processed.
- Ensure that new or unknown web pages or files have not been added by conducting regular checks of your website.
- Regularly check the IP address that redirects customers to the third party hosted payment page to ensure that the IP address has not been changed and redirect the card data to another site before the data is received by the hosted payment page.
3. Use web hosting or third-party providers
When you utilize a web hosting provider or a third party payment provider that stores, processes and/or transmits cardholder data, the 3rd party is classed as a 3rd party service provider and the following rules apply:
- The contract must require the supplier to handle card data securely and must maintain on-going compliance to the PCI DSS and evidence of compliance with the standard to the merchant on an annual basis.
- The 3rd party service provider must be using a PA DSS certified payment application
- The 3rd party service provider must be registered as a third-party service provider on the PCI SSC web site or Visa Europe website.
- The contract should clearly identify roles and responsibilities for how cardholder data should be protected.
Take away
We hope that this blog somehow will help the beginners on e-commerce understand the regulation on website security and what to do to comply and lead your business in the right way. PCI DSS is one of the must-follow laws for online merchants. Understand it, eCommerce stores can prepare the best for compliance with the law. Also, protecting customers’ data is a long-term strategy to develop your business.
If you do not have full knowledge and skills to keep your websites secure, you can always find a security agency to help.