The Ultimate Guide to the eCommerce PCI Compliance

If you’re looking for the ecommerce PCI Compliance guide and PCI DSS checklist, then you’re in the right spot and just in time, because in this article, we explain everything you might require to prepare for the PCI compliance before the upcoming release of the PCI DSS updated version 4.0, which is due in the first quarter of 2022. So fasten your seatbelts and let’s get going. Below are the things we are going to cover:

What Is PCI DSS Compliance?

PCI means and stands for the Payment Card Industry, a financial sector responsible for all electronic payments. The PCI denotes the debit, credit, prepaid, ATM, e-wallet, and POS card associated businesses.

PCI DSS means and stands for the Payment Card Industry Data Security Standard, an information security standard that is mandated by the card brands and administered by the Payment Card Industry Security Council. The PCI DSS was created to increase control over sensitive financial data, reduce credit card fraud, and help businesses handle credit cards from the major card schemes.

The PCI DSS assessment is performed quarterly or annually by the following methods that depend on the volume of handled transactions:

  • Self-Assessment Questionnaire (SAQ) for smaller volumes
  • External Qualified Security Assessor (QSA) with an Attestation of Compliance (AOC) for moderate volumes
  • Firm-Specific Internal Security Assessor (ISA) with a report on Compliance (ROC) for large volumes

Who Is in Charge of PCI Compliance?

The Payment Card Industry Security Council was formed following the release of version 1.0 of PCI DSS, in December 2004, when five major credit card companies, such as Visa, MasterCard, American Express, Discover, and JCB, each on their own, and then conjointly, realized that there was a pressing need to ensure that online merchants meet a minimum level of security when they handle credit card information.

PCI Compliance Isn’t the Law

It’s important to recognize that the PCI compliance standards are not the law, but rather a combined effort of principal credit card organizations to align and organize security protection programs they have developed individually into a comprehensive set of policies. With that said, the PCI DSS applies to any business that handles credit card payments.

Does Every Company Have To Be Compliant?

PCI DSS is mandatory for any company that operates an ecommerce site (online store) and handles credit card data.

Why Is PCI Compliance Important?

Since there’s no business that’s hundred percent immune to data compromise and security incidents, it’s important to make everything possible to minimize security risks. This is where the PCI DSS is meant to help – it provides the recommendations, guidance, and control objectives that help merchants reduce the potential attack surface and safeguard payment data.

How to Implement PCI DSS E-commerce Compliance?

The implementation of ecommerce PCI DSS can be accomplished in several ways: you can choose to do it yourself, use the services of a specialized agency, or combine both methods.

Obviously, by delegating PCI DSS compliance to a third-party professional vendor, you’ll offload the major liability without compromising the continuity of your business processes. With that said, third-party services might prove costly.

To save up on those expenses, you might check if your platform’s vendor offers ecommerce PCI compliance services at an extra fee, which might turn out to be cheaper than if you decide to seek those services elsewhere.

Otherwise, you might choose to undergo ecommerce PCI compliance on your own. In that case, you’ll be required to ascertain the security of credit card data, its movement, and storage in all locations. Such assurance requires engineering work to build a secure, compliant environment, as well as audits, and penetration testing.

The E-commerce PCI DSS Levels Requirements

The PCI DSS specifies twelve requirements that are logically organized into six control objectives, which are the following:

  1. Building and maintaining a secure network and systems
  2. Protecting cardholder data
  3. Maintaining a vulnerability management program
  4. Implementing strong access control measures
  5. Monitoring and testing networks on a regular basis
  6. Maintaining an information security policy

While different versions of the PCI DSS each added different subcategories to these objectives, the twelve high-level requirements have remained the same.

12 Requirements of the PCI DSS

Six control objectives

Twelve high-level requirements

Build and maintain a secure network and systems

1. Install and maintain a firewall configuration to protect cardholder data
2. Change vendor supplied defaults for system passwords and other security parameters

Protect cardholder data

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open public networks

Maintain a vulnerability management program

5. Protect all systems against malware with antivirus software and update anti virus software programs on a regular basis

6. Develop and maintain security systems and applications

Implement strong access control measures

7. Restrict access to cardholder data by business need

8. Identify and authenticate access to system components

9. Restrict physical access to cardholder data

Regularly monitor and test networks

10. Track and monitor all access to network resources and cardholder data by creating and monitoring access logs

11. Regularly test security systems and processes

Maintain an information security policy

12. Create, document, and maintain a policy that addresses information security for all personnel

Within those 12 requirements, there are a whopping 252 sub-requirements, which elaborate each requirement even further. Moreover, each (sub)requirement is divided into three sections, such as

  • Requirement declaration, which defines the requirement;
  • Testing processes, which cover testing methodologies for proper implementation of the requirement;
  • Guidance, which explains the core purpose of the requirement and its corresponding content that can assist with the requirement definition further.

Depending on the number of transactions a business processes within a month, they will need to reach a different level of PCI DSS compliance that varies for merchants and service providers. Since in this article, we cover e commerce businesses, we’ll cover the four PCI DSS levels for merchants and elaborate on them below.

Level 1

PCI DSS Level 1 is the most stringent PCI compliance level that applies to all merchants that process more than six million Visa or MasterCard transactions per year, regardless of whether they happened in-store, online, or both. Also, any merchant that Visa decides should be a Level 1 merchant, and all payment facilitators that process more than 300,000 transactions per year.

Level 2

Level 2 applies to all merchants that process from one to six million Visa transactions per year, regardless of the processing channel, and all payment facilitators that process less than 300,000 transactions per year.

Level 3

Level 3 applies to all merchants that process from 20,000 to one million Visa e commerce transactions per year.

Level 4

Level 4 applies to any merchant that processes fewer than 20,000 Visa e commerce transactions, or any merchant that processes up to one million Visa transactions, regardless of the processing channel.

PCI DSS Compliance Levels for Merchants

PCI DSS Compliance Levels for Merchants

Our Checklist for PCI Compliance for E-сommerce Companies

For a quick ecommerce PCI Compliance checklist, look through the below suggestions, which will give you an idea of how and where to get started:

  1. Understand which compliance level applies to your company.
  2. Understand the lifecycle of cardholders’ data within your company, systems, partners, and third-party vendors.
  3. Prepare protocols, policies, and processes for privacy and compliance and ensure they are up to date.
  4. Establish accountability within your company and appoint a Data Protection Officer (DPO).
  5. Define who has access to data: examine roles and access controls for both personnel and vendors.
  6. Provide compliance training for all personnel.
  7. Test your security systems on a regular basis.
  8. Execute a vulnerability management program and have response plans in case of data breaches.
  9. Perform an external security audit to verify the points of access to cardholder’s data.
  10. Enforce physical and technical safeguards.

Going through the above checklist will prepare you just in time for the release of the new PCI DSS, version 4.0, which is due in the first quarter of 2022. The new version covers a range of evolving payment environments and technologies that help achieve better security. While the main objective of the PCI DSS 4.0 remains the same, the new version places greater emphasis on security as a continuous process and promotes fluid data management practices that integrate with the company’s overall security posture.

What Happens if You are Not Compliant?

Since the exposure of sensitive data and credit card information remains a persistent threat that victimizes everything from massive corporations to small businesses, non-compliance is not an option. With that said, businesses might still voluntarily or involuntarily fail to meet the compliance requirements. Failure to comply can lead to unexpected losses and, what’s more important, the card processing services being revoked. Below, we’ll go through a few consequences that can result from the failure to comply with the ecommerce PCI DSS.

PCI Non-Compliance Fines

Penalty fines can range from $5,000 to $100,000 per month and can be increased based on how long a company stays non-compliant. The fines are levied based on compliance violations and not necessarily data breaches (which almost always stem from non-compliance and data infringements).

GDPR (General Data Protection Regulation)

Under GDPR, any business that experiences a data breach that relates to the EU residents’ information shall report it to authorities within 72 hours. In the US, there are similar federal and statutory laws that aim to protect sensitive customer data.

Suspension of Credit Cards

Fines are not the only PCI DSS penalty for non-compliance. One of the most severe is, perhaps, suspension of the company’s ability to process credit card information, which is gravely damaging for an ecommerce store.

Mandatory Forensic Examination

If the company is suspected of a data breach, it might be subject to a mandatory forensic examination, which requires hiring a professional forensic auditor that can cost a small business anything from $20,000 to $50,000.

Notification and Credit Monitoring

When the comprise of financial information is suspected, some states in the US require that merchants notify their customers and provide up to a year’s worth of credit monitoring and counseling to affected customers.

Liability for Fraud Charges

Customers may claim compensation for incurred damages as a result of a data breach on a merchant’s website, thereby making the merchant fully responsible and liable to pay out the damages.

Credit Card Replacement Costs

Credit card companies may require merchants to pay the costs associated with reissuing credit cards with fees ranging from three to ten dollars per card.

Reassessment for PCI Compliance

To resume the acceptance of card payments, merchants will require to undergo another PCI DSS assessment by an external Qualified Security Assessor (QSA), which time consuming and expensive. Since the cost of a PCI Compliance audit largely depends on the size of the organization and card processing methods, the numbers may vary, but on average a qualified security assessment from a certified QSA costs around $15,000.

Time and Costs to Reach PCI Compliance

How much time and costs are typically involved in reaching compliance? The cost of a PCI Compliance audit largely depends on your company’s setup where the following variables will likely affect the final price:

  • Business type: a number of processed transactions, level of compliance, merchandise risk levels, environment structure, and so on.
  • Company size: the bigger the organization, the bigger the expenses.
  • Security culture: managerial involvement in security procedures, the aptness of established policies, or lack thereof.
  • Dedicated PCI staff: dedicated team overseeing the security compliance, or lack thereof.
  • Acquiring bank pre-pays: some banks pay for their small merchants’ PCI compliance.

Depending on the above variables, your PCI DSS compliance can cost anything from $300 to $70,000+.

For example, if you’re a small business, your PCI DSS compliance will involve the following costs:

  • Self-Assessment Questionnaire (SAQ): $50-$200
  • Vulnerability scanning: $100-$200 per IP address
  • Training/policy development: $100 per employee
  • Remediation: $100-$10,000 depending on the amount of work

For large businesses, the total cost of PCI DSS might consist of the following expenses:

  • Onsite audit: $40,000
  • Vulnerability scanning: $1,000
  • Penetration testing: $15,000
  • Training/policy development: $5,000
  • Remediation: $10,000-$500,000 depending on the amount of work

How Can I Limit My Costs?

Reducing the scope of ecommerce PCI compliance is the best way to limit the PCI DSS costs. Before you reduce the PCI compliance scope, you first need to understand what the scope is. Sit down and go over the PCI DSS requirements to understand which of them directly apply to your business.

The primary concern of the PCI DSS is the security of the Cardholder Data Environment (CDE). By reducing the cost and complexities of your card data environment, you’ll be able to cut down on the total costs associated with PCI DSS compliance. To mitigate such expenses you need to proactively engage in protecting your networks from cybercriminal attacks. The first step to do so is to keep all your software updated on a regular basis and invest in security and compliance training for all employees. Another way to reduce CDE is to store as little cardholder data as possible or not store it at all. If you choose to retain cardholder data or are obligated to do so by law, then consider utilizing cloud-based tokenization, which involves replacing sensitive data and payment card information with a unique identifier or financially non-sensitive token that is impossible to reverse.

6 Types of Security Breaches PCI Compliance Protects Against

Malware: Criminals use malicious software to infiltrate a victim’s computer. Malware becomes ransomware if hackers keep data hostage in exchange for money.

Phishing: Phishing emails are the standard delivery vehicle for viruses and malware. While looking legitimate, these emails contain malicious links that can infect a computer.

Remote Access: Weak remote access controls can help hackers get into the system and transmit payment card data.

Weak Passwords: More than 80% of data breaches involve stolen passwords, so using a strong case sensitive password with special symbols is a must.

Outdated Software: Outdated technology makes it easy for cybercriminals to penetrate your system. Vendor supplied security patches and updates are essential for fending off the latest malware.

Installing a firewall, regularly updating your antivirus programs, changing supplier defaults, using strong passwords, and keeping your network safe from unauthorized access protect you from cybercriminal attacks.

FAQ

What Is PCI Compliance Process?

The PCI Compliance must be an ongoing process to help prevent security breaches and ensure the safety and security of sensitive data and payment card information. PCI Compliance is required and mandated by credit card companies and administered by PCI Security Standards Council that both aim to make card transactions secure and data protected against cybercriminal attacks. Although achieving PCI compliance is not required by law, it’s mandatory for any organization that deals with cardholder data. 

What Is PCI Compliance Assessment?

A PCI Compliance Assessment is an audit that aims to ensure PCI compliance by merchants who accept, store, and transmit credit card information. During the assessment, a PCI Qualified Security Assessor (QSA) determines and ascertains the merchant’s compliance with the PCI DSS Compliance Requirements. 

What Is a PCI Compliance Test?

A PCI Compliance Test or pentest is a cybersecurity assessment that examines the technical and operational system components that are responsible for handling cardholder data. PCI testing proactively assesses a network’s infrastructure and applications for potential vulnerabilities. PCI penetration tests are an effective way of security monitoring as they replicate the steps a cybercriminal would take to infiltrate the system. Timely pentests help companies maintain secure systems, avoid costly forensic audits, and achieve PCI compliance.

How Do You Check if You Are PCI Compliant?

To check whether you’re PCI compliant or not, you can complete a PCI Self-Assessment Questionnaire. And if you discover that you are not, then there are established steps that can help you achieve PCI compliance. 

What Is the Role of PCI Data Security Standards in E Business?

PCI Data Security Standards are very important: if you’re operating an ecommerce business and would like to accept credit card payments, then PCI DSS compliance is a must.

Are E Commerce Merchants Required to Comply With the PCI DSS?

Although PCI DSS is not the law, any merchant who accepts credit card payments needs to be PCI compliant.

How Do I Pass PCI Compliance or Make My Website PCI Compliant?

Any merchant account that accepts credit card payments, and all third party service providers accepting payment data on behalf of the merchant, must complete an annual PCI DSS certification. Since PCI Compliance is an ongoing commitment, merchants need to perform PCI scans at least once every quarter to ensure they maintain compliance. A few common-sense steps that replicate the twelve major requirements of the PCI compliant standards will help prepare your business for PCI compliance check:

  • Restrict physical access to customer data and limit access to system components
  • Delete unnecessary default accounts; manage, and change supplier defaults; use strong passwords for all accounts
  • Install and maintain firewalls to block access from unknown and foreign entities
  • Maintain and monitor system access logs: failure to factor all internal and external users who accessed the system can leave you unable to determine a breach timeline
  • Encrypt all non console administrative access to protect malicious attackers from eavesdropping on your network
  • Encrypt data that’s transmitted across multiple channels, such as payment gateways, payment processors, public networks to ensure the safety of cardholder data
  • Regularly update antivirus programs to safeguards your systems against the latest malware

Is Shopify PCI compliant?

Yes, Shopify has been a compliant Level 1 service provider under PCI DSS since 2011. 

What’s at the Heart of the PCI DSS?

The goal of the PCI DSS is to ensure all companies dealing with credit card information maintain a secure environment that protects cardholder data.

Are the PCI DSS Rules Enough To Keep My Site Safe From Any and All Threats?

Compliance with the PCI DSS rules should be enough to prove your website is secure and customers can trust you with their payment card information. However, because of the constantly evolving technology, you need to be at the forefront of your own security and go beyond basic standards while monitoring potential threats to your system on a regular basis.

Does It Matter What E commerce or CMS Platform We Need To Keep Compliant?

While ultimately, it doesn’t matter which ecommerce platform you choose for your ecommerce business, ensure that it uses modern technologies and can integrate with different payment providers and processors. Some platform vendors offer PCI compliance guidance, but many more do not. If assistance with PCI Compliance is your priority, choose a vendor who can help.

Does PCI Compliance Stop and End With Hosting?

While hosting is an important factor, it’s not the only factor. There are many other steps involved in ensuring and maintaining PCI DSS compliance, which we’ve covered in detail in this article.

We Only Do E-commerce. Which SAQ Should We Use?

To understand which SAQ to use, read through descriptions given to each SAQ category by the PCI Security Council.

My Company Doesn’t Store Credit Card Data So PCI Compliance Doesn’t Apply to Us, Right?

Whether you store credit card information or not, if you process it, then PCI Compliance applies to you. However, if you don’t store data, becoming PCI compliant might be easier for you.

What Is a Vulnerability Scan?

A vulnerability scan is an automated test that scans the system for and reports potential vulnerabilities. Vulnerability scans are used by companies to monitor systems, networks, applications, and procedures for security vulnerabilities.

Schedule a quick demo

Marina Vorontsova
Technical author and eCommerce advocate