The Ultimate Guide to the eCommerce PCI Compliance

1. What Is PCI DSS Compliance?
2. How to Implement PCI DSS E-commerce Compliance?
3. Our Checklist for PCI Compliance for E-сommerce Companies
4. What Happens if You are Not Compliant?
5. Time and Costs to Reach PCI Compliance
6. 6 Types of Security Breaches PCI Compliance Protects Against
7. FAQ

PCI means and stands for the Payment Card Industry, a financial sector responsible for all electronic payments. The PCI denotes the debit, credit, prepaid, ATM, e-wallet, and POS card associated businesses.

PCI DSS means and stands for the Payment Card Industry Data Security Standard, an information security standard that is mandated by the card brands and administered by the Payment Card Industry Security Council. The PCI DSS was created to increase control over sensitive financial data, reduce credit card fraud, and help businesses handle credit cards from the major card schemes.

The PCI DSS assessment is performed quarterly or annually by the following methods that depend on the volume of handled transactions:

• Self-Assessment Questionnaire (SAQ) for smaller volumes
• External Qualified Security Assessor (QSA) with an Attestation of Compliance (AOC) for moderate volumes
• Firm-Specific Internal Security Assessor (ISA) with a report on Compliance (ROC) for large volumes

The implementation of ecommerce PCI DSS can be accomplished in several ways: you can choose to do it yourself, use the services of a specialized agency, or combine both methods.

Obviously, by delegating PCI DSS compliance to a third-party professional vendor, you’ll offload the major liability without compromising the continuity of your business processes. With that said, third-party services might prove costly.

To save up on those expenses, you might check if your platform’s vendor offers ecommerce PCI compliance services at an extra fee, which might turn out to be cheaper than if you decide to seek those services elsewhere.

Otherwise, you might choose to undergo ecommerce PCI compliance on your own. In that case, you’ll be required to ascertain the security of credit card data, its movement, and storage in all locations. Such assurance requires engineering work to build a secure, compliant environment, as well as audits, and penetration testing.

For a quick ecommerce PCI Compliance checklist, look through the below suggestions, which will give you an idea of how and where to get started:

1. Understand which compliance level applies to your company.
2. Understand the lifecycle of cardholders’ data within your company, systems, partners, and third-party vendors.
3. Prepare protocols, policies, and processes for privacy and compliance and ensure they are up to date.
4. Establish accountability within your company and appoint a Data Protection Officer (DPO).
5. Define who has access to data: examine roles and access controls for both personnel and vendors.
6. Provide compliance training for all personnel.
7. Test your security systems on a regular basis.
8. Execute a vulnerability management program and have response plans in case of data breaches.
9. Perform an external security audit to verify the points of access to cardholder’s data.
10. Enforce physical and technical safeguards.

Going through the above checklist will prepare you just in time for the release of the new PCI DSS, version 4.0, which is due in the first quarter of 2022. The new version covers a range of evolving payment environments and technologies that help achieve better security. While the main objective of the PCI DSS 4.0 remains the same, the new version places greater emphasis on security as a continuous process and promotes fluid data management practices that integrate with the company’s overall security posture.

Since the exposure of sensitive data and credit card information remains a persistent threat that victimizes everything from massive corporations to small businesses, non-compliance is not an option. With that said, businesses might still voluntarily or involuntarily fail to meet the compliance requirements. Failure to comply can lead to unexpected losses and, what’s more important, the card processing services being revoked. Below, we’ll go through a few consequences that can result from the failure to comply with the ecommerce PCI DSS.

How much time and costs are typically involved in reaching compliance? The cost of a PCI Compliance audit largely depends on your company’s setup where the following variables will likely affect the final price:

• Business type: a number of processed transactions, level of compliance, merchandise risk levels, environment structure, and so on.
• Company size: the bigger the organization, the bigger the expenses.
• Security culture: managerial involvement in security procedures, the aptness of established policies, or lack thereof.
• Dedicated PCI staff: dedicated team overseeing the security compliance, or lack thereof.
• Acquiring bank pre-pays: some banks pay for their small merchants’ PCI compliance.

Depending on the above variables, your PCI DSS compliance can cost anything from $300 to $70,000+.

For example, if you’re a small business, your PCI DSS compliance will involve the following costs:

• Self-Assessment Questionnaire (SAQ): $50-$200
• Vulnerability scanning: $100-$200 per IP address
• Training/policy development: $100 per employee
• Remediation: $100-$10,000 depending on the amount of work

For large businesses, the total cost of PCI DSS might consist of the following expenses:

• Onsite audit: $40,000
• Vulnerability scanning: $1,000
• Penetration testing: $15,000
• Training/policy development: $5,000
• Remediation: $10,000-$500,000 depending on the amount of work

Malware: Criminals use malicious software to infiltrate a victim’s computer. Malware becomes ransomware if hackers keep data hostage in exchange for money.

Phishing: Phishing emails are the standard delivery vehicle for viruses and malware. While looking legitimate, these emails contain malicious links that can infect a computer.

Remote Access: Weak remote access controls can help hackers get into the system and transmit payment card data.

Weak Passwords: More than 80% of data breaches involve stolen passwords, so using a strong case sensitive password with special symbols is a must.

Outdated Software: Outdated technology makes it easy for cybercriminals to penetrate your system. Vendor supplied security patches and updates are essential for fending off the latest malware.

Installing a firewall, regularly updating your antivirus programs, changing supplier defaults, using strong passwords, and keeping your network safe from unauthorized access protect you from cybercriminal attacks.