The Ultimate Guide to the eCommerce PCI Compliance

If you’re looking for the ecommerce PCI Compliance guide and PCI DSS checklist, then you’re in the right spot and just in time, because in this article, we explain everything you might require to prepare for the PCI compliance before the upcoming release of the PCI DSS updated version 4.0, which is due in the first quarter of 2022. So fasten your seatbelts and let’s get going. Below are the things we are going to cover:

What Is PCI DSS Compliance?

PCI means and stands for the Payment Card Industry, a financial sector responsible for all electronic payments. The PCI denotes the debit, credit, prepaid, ATM, e-wallet, and POS card associated businesses.

PCI DSS means and stands for the Payment Card Industry Data Security Standard, an information security standard that is mandated by the card brands and administered by the Payment Card Industry Security Council. The PCI DSS was created to increase control over sensitive financial data, reduce credit card fraud, and help businesses handle credit cards from the major card schemes.

The PCI DSS assessment is performed quarterly or annually by the following methods that depend on the volume of handled transactions:

  • Self-Assessment Questionnaire (SAQ) for smaller volumes
  • External Qualified Security Assessor (QSA) with an Attestation of Compliance (AOC) for moderate volumes
  • Firm-Specific Internal Security Assessor (ISA) with a report on Compliance (ROC) for large volumes

Who Is in Charge of PCI Compliance?

The Payment Card Industry Security Council was formed following the release of version 1.0 of PCI DSS, in December 2004, when five major credit card companies, such as Visa, MasterCard, American Express, Discover, and JCB, each on their own, and then conjointly, realized that there was a pressing need to ensure that online merchants meet a minimum level of security when they handle credit card information.

PCI Compliance Isn’t the Law

It’s important to recognize that the PCI compliance standards are not the law, but rather a combined effort of principal credit card organizations to align and organize security protection programs they have developed individually into a comprehensive set of policies. With that said, the PCI DSS applies to any business that handles credit card payments.

Does Every Company Have To Be Compliant?

PCI DSS is mandatory for any company that operates an ecommerce site (online store) and handles credit card data.

Why Is PCI Compliance Important?

Since there’s no business that’s hundred percent immune to data compromise and security incidents, it’s important to make everything possible to minimize security risks. This is where the PCI DSS is meant to help – it provides the recommendations, guidance, and control objectives that help merchants reduce the potential attack surface and safeguard payment data.

How to Implement PCI DSS E-commerce Compliance?

The implementation of ecommerce PCI DSS can be accomplished in several ways: you can choose to do it yourself, use the services of a specialized agency, or combine both methods.

Obviously, by delegating PCI DSS compliance to a third-party professional vendor, you’ll offload the major liability without compromising the continuity of your business processes. With that said, third-party services might prove costly.

To save up on those expenses, you might check if your platform’s vendor offers ecommerce PCI compliance services at an extra fee, which might turn out to be cheaper than if you decide to seek those services elsewhere.

Otherwise, you might choose to undergo ecommerce PCI compliance on your own. In that case, you’ll be required to ascertain the security of credit card data, its movement, and storage in all locations. Such assurance requires engineering work to build a secure, compliant environment, as well as audits, and penetration testing.

The E-commerce PCI DSS Levels Requirements

The PCI DSS specifies twelve requirements that are logically organized into six control objectives, which are the following:

  1. Building and maintaining a secure network and systems
  2. Protecting cardholder data
  3. Maintaining a vulnerability management program
  4. Implementing strong access control measures
  5. Monitoring and testing networks on a regular basis
  6. Maintaining an information security policy

While different versions of the PCI DSS each added different subcategories to these objectives, the twelve high-level requirements have remained the same.

12 Requirements of the PCI DSS

Six control objectives

Twelve high-level requirements

Build and maintain a secure network and systems

1. Install and maintain a firewall configuration to protect cardholder data
2. Change vendor supplied defaults for system passwords and other security parameters

Protect cardholder data

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open public networks

Maintain a vulnerability management program

5. Protect all systems against malware with antivirus software and update anti virus software programs on a regular basis

6. Develop and maintain security systems and applications

Implement strong access control measures

7. Restrict access to cardholder data by business need

8. Identify and authenticate access to system components

9. Restrict physical access to cardholder data

Regularly monitor and test networks

10. Track and monitor all access to network resources and cardholder data by creating and monitoring access logs

11. Regularly test security systems and processes

Maintain an information security policy

12. Create, document, and maintain a policy that addresses information security for all personnel

Within those 12 requirements, there are a whopping 252 sub-requirements, which elaborate each requirement even further. Moreover, each (sub)requirement is divided into three sections, such as

  • Requirement declaration, which defines the requirement;
  • Testing processes, which cover testing methodologies for proper implementation of the requirement;
  • Guidance, which explains the core purpose of the requirement and its corresponding content that can assist with the requirement definition further.

Depending on the number of transactions a business processes within a month, they will need to reach a different level of PCI DSS compliance that varies for merchants and service providers. Since in this article, we cover e commerce businesses, we’ll cover the four PCI DSS levels for merchants and elaborate on them below.

Level 1

PCI DSS Level 1 is the most stringent PCI compliance level that applies to all merchants that process more than six million Visa or MasterCard transactions per year, regardless of whether they happened in-store, online, or both. Also, any merchant that Visa decides should be a Level 1 merchant, and all payment facilitators that process more than 300,000 transactions per year.

Level 2

Level 2 applies to all merchants that process from one to six million Visa transactions per year, regardless of the processing channel, and all payment facilitators that process less than 300,000 transactions per year.

Level 3

Level 3 applies to all merchants that process from 20,000 to one million Visa e commerce transactions per year.

Level 4

Level 4 applies to any merchant that processes fewer than 20,000 Visa e commerce transactions, or any merchant that processes up to one million Visa transactions, regardless of the processing channel.

PCI DSS Compliance Levels for Merchants

PCI DSS Compliance Levels for Merchants

Our Checklist for PCI Compliance for E-сommerce Companies

For a quick ecommerce PCI Compliance checklist, look through the below suggestions, which will give you an idea of how and where to get started:

  1. Understand which compliance level applies to your company.
  2. Understand the lifecycle of cardholders’ data within your company, systems, partners, and third-party vendors.
  3. Prepare protocols, policies, and processes for privacy and compliance and ensure they are up to date.
  4. Establish accountability within your company and appoint a Data Protection Officer (DPO).
  5. Define who has access to data: examine roles and access controls for both personnel and vendors.
  6. Provide compliance training for all personnel.
  7. Test your security systems on a regular basis.
  8. Execute a vulnerability management program and have response plans in case of data breaches.
  9. Perform an external security audit to verify the points of access to cardholder’s data.
  10. Enforce physical and technical safeguards.

Going through the above checklist will prepare you just in time for the release of the new PCI DSS, version 4.0, which is due in the first quarter of 2022. The new version covers a range of evolving payment environments and technologies that help achieve better security. While the main objective of the PCI DSS 4.0 remains the same, the new version places greater emphasis on security as a continuous process and promotes fluid data management practices that integrate with the company’s overall security posture.

What Happens if You are Not Compliant?

Since the exposure of sensitive data and credit card information remains a persistent threat that victimizes everything from massive corporations to small businesses, non-compliance is not an option. With that said, businesses might still voluntarily or involuntarily fail to meet the compliance requirements. Failure to comply can lead to unexpected losses and, what’s more important, the card processing services being revoked. Below, we’ll go through a few consequences that can result from the failure to comply with the ecommerce PCI DSS.

PCI Non-Compliance Fines

Penalty fines can range from $5,000 to $100,000 per month and can be increased based on how long a company stays non-compliant. The fines are levied based on compliance violations and not necessarily data breaches (which almost always stem from non-compliance and data infringements).

GDPR (General Data Protection Regulation)

Under GDPR, any business that experiences a data breach that relates to the EU residents’ information shall report it to authorities within 72 hours. In the US, there are similar federal and statutory laws that aim to protect sensitive customer data.

Suspension of Credit Cards

Fines are not the only PCI DSS penalty for non-compliance. One of the most severe is, perhaps, suspension of the company’s ability to process credit card information, which is gravely damaging for an ecommerce store.

Mandatory Forensic Examination

If the company is suspected of a data breach, it might be subject to a mandatory forensic examination, which requires hiring a professional forensic auditor that can cost a small business anything from $20,000 to $50,000.

Notification and Credit Monitoring

When the comprise of financial information is suspected, some states in the US require that merchants notify their customers and provide up to a year’s worth of credit monitoring and counseling to affected customers.

Liability for Fraud Charges

Customers may claim compensation for incurred damages as a result of a data breach on a merchant’s website, thereby making the merchant fully responsible and liable to pay out the damages.

Credit Card Replacement Costs

Credit card companies may require merchants to pay the costs associated with reissuing credit cards with fees ranging from three to ten dollars per card.

Reassessment for PCI Compliance

To resume the acceptance of card payments, merchants will require to undergo another PCI DSS assessment by an external Qualified Security Assessor (QSA), which time consuming and expensive. Since the cost of a PCI Compliance audit largely depends on the size of the organization and card processing methods, the numbers may vary, but on average a qualified security assessment from a certified QSA costs around $15,000.

Time and Costs to Reach PCI Compliance

How much time and costs are typically involved in reaching compliance? The cost of a PCI Compliance audit largely depends on your company’s setup where the following variables will likely affect the final price:

  • Business type: a number of processed transactions, level of compliance, merchandise risk levels, environment structure, and so on.
  • Company size: the bigger the organization, the bigger the expenses.
  • Security culture: managerial involvement in security procedures, the aptness of established policies, or lack thereof.
  • Dedicated PCI staff: dedicated team overseeing the security compliance, or lack thereof.
  • Acquiring bank pre-pays: some banks pay for their small merchants’ PCI compliance.

Depending on the above variables, your PCI DSS compliance can cost anything from $300 to $70,000+.

For example, if you’re a small business, your PCI DSS compliance will involve the following costs:

  • Self-Assessment Questionnaire (SAQ): $50-$200
  • Vulnerability scanning: $100-$200 per IP address
  • Training/policy development: $100 per employee
  • Remediation: $100-$10,000 depending on the amount of work

For large businesses, the total cost of PCI DSS might consist of the following expenses:

  • Onsite audit: $40,000
  • Vulnerability scanning: $1,000
  • Penetration testing: $15,000
  • Training/policy development: $5,000
  • Remediation: $10,000-$500,000 depending on the amount of work

How Can I Limit My Costs?

Reducing the scope of ecommerce PCI compliance is the best way to limit the PCI DSS costs. Before you reduce the PCI compliance scope, you first need to understand what the scope is. Sit down and go over the PCI DSS requirements to understand which of them directly apply to your business.

The primary concern of the PCI DSS is the security of the Cardholder Data Environment (CDE). By reducing the cost and complexities of your card data environment, you’ll be able to cut down on the total costs associated with PCI DSS compliance. To mitigate such expenses you need to proactively engage in protecting your networks from cybercriminal attacks. The first step to do so is to keep all your software updated on a regular basis and invest in security and compliance training for all employees. Another way to reduce CDE is to store as little cardholder data as possible or not store it at all. If you choose to retain cardholder data or are obligated to do so by law, then consider utilizing cloud-based tokenization, which involves replacing sensitive data and payment card information with a unique identifier or financially non-sensitive token that is impossible to reverse.

6 Types of Security Breaches PCI Compliance Protects Against

Malware: Criminals use malicious software to infiltrate a victim’s computer. Malware becomes ransomware if hackers keep data hostage in exchange for money.

Phishing: Phishing emails are the standard delivery vehicle for viruses and malware. While looking legitimate, these emails contain malicious links that can infect a computer.

Remote Access: Weak remote access controls can help hackers get into the system and transmit payment card data.

Weak Passwords: More than 80% of data breaches involve stolen passwords, so using a strong case sensitive password with special symbols is a must.

Outdated Software: Outdated technology makes it easy for cybercriminals to penetrate your system. Vendor supplied security patches and updates are essential for fending off the latest malware.

Installing a firewall, regularly updating your antivirus programs, changing supplier defaults, using strong passwords, and keeping your network safe from unauthorized access protect you from cybercriminal attacks.

FAQ

Schedule a quick demo

Marina Vorontsova
Technical author and eCommerce advocate