If you’ve been contacted by your bank or financial institution lately only to discover that your credit card information has been compromised, then you’ve felt the growing frustration many consumers face today.
Indeed, the situation with respect to credit card fraud appears to be a reoccurring issue.
Dealing with a compromise is a time-consuming hassle from both a consumer's and merchant's perspective. This is mainly because many of us maintain large numbers of supposedly secure personal online profiles that afford us a convenient way to deal with recurring monthly or annual payments.
How can we be sure that these online service providers, who so readily accept and retain our credit card information, are taking the appropriate measures to secure it?
This is the purpose of the Payment Card Industry Data Security Standard (PCI DSS) — and every retailer is required to comply.
Depending on the ecommerce technology and backend a retailer uses, PCI compliance can be an easy check on a long list of things retailers need to do to ensure their customers are transacting securely. It can also become a significant pain if not done correctly — costing ample time, resources and money.
Unfortunately, the difficulties in compliance primarily come from a lack of knowledge.
According to an April 2019 survey conducted among adults in the United States, only 58 percent of respondents stated they had never heard of the Payment Card Industry Data Security Standard (PCI-DSS). Furthermore, only 16 percent of respondents reported knowing the basics of the standard.
By understanding what the PCI DSS requirements are and what it can do for your business, organizations can get ahead of potential threats — as well as significant fines — all while protecting their customers’ best interests.
In this guide, you’ll learn:
Below are the 12 High-Level Requirements Mandated by the PCI DSS.
PCI DSS are standards all businesses that transact via credit card must abide by.
Originally created by Visa, MasterCard, Discover and American Express in 2004, the Payment Card Industry Data Security Standard (PCI DSS) has evolved over the years to ensure that online sellers have the systems and processes in place to prevent a data breach.
The most recent version is PCI DSS 4.0. Version 4.0 was scheduled to be released in March 2022 and replace Version 3.2.1.
The PCI Security Standards Council (PCI SSC) defines a series of specific Data Security Standards (DSS) relevant to all merchants, regardless of revenue and credit card transaction volumes. Achieving and maintaining PCI compliance is the ongoing process an organization undertakes to ensure that they adhere to the security requirements as defined by the PCI SSC.
The SSC defines and manages the standards, while the credit card companies enforce compliance.
These standards apply to all organizations that deal with cardholder data. Cardholder data refers specifically to the credit card number, along with cardholder name, expiration date and security code (CSC).
In total, PCI DSS outlines 12 requirements for compliance. Twelve requirements may not sound like much. A quick scan for PCI compliance documentation online can lead you to believe that PCI compliance is easy.
In reality, maintaining PCI compliance is extremely complex — especially for large enterprises. It means you need to comply with a total of 251 sub-requirements across the 12 requirements outlined in PCI DSS 4.0 to address the growing threats to customer payment security.
Data breaches are becoming increasingly common for all businesses, including retailers.
In 2005, Walmart had a serious security breach targeting their point-of-sale systems.
An earlier internal audit revealed thousands of customer card numbers and other personal data had been found on their servers in unencrypted form.
This data may have been compromised during the breach, although that has not been officially confirmed.
Other instances include:
Any company that works with ecommerce development will inevitably deal with credit card security issues, whether from cardholder data stored in plain text files without any encryption to basic obfuscation residing under a CFO’s desk in a dusty PC dating back to the late 1990s.
While these sorts of practices may come from negligence, most issues regarding credit cards arise from unintentional ignorance.
Organizations that work with credit cards must prioritize credit card cybersecurity. The difference between a secure payment system and an unsecured one is significant and can affect the very ways that you do business. Don’t neglect it until it becomes an issue.
If you operate your on-premise or self-hosted cloud commerce solution, the short answer is yes.
Ecommerce PCI compliance is essential whether you run a single brick-and-mortar retail location or you are a large organization selling goods across multiple stores and ecommerce sites — anywhere that your credit card merchant account has been connected and integrated requires attention.
All credit card transaction volumes your organization processes are aggregated across multiple channels — e.g., in-store retail point-of-sale terminals and online payment gateways — and summed up to determine an appropriate PCI compliance level.
What this means is that a large international retail chain handling 6 million transactions per year will still be considered a Level 1 merchant — the strictest level — and will be held to the highest of PCI compliance standards, even if their related ecommerce store processes are less than 500 sales orders per month.
Fortunately, if you operate a SaaS-based ecommerce store and do not have any access to any credit cardholder data, your need for PCI compliance is significantly mitigated.
SaaS solutions like BigCommerce take care of the vast majority of the steps toward ecommerce PCI compliance for any customer on the platform.
While on-premise solutions may give organizations more flexibility and familiarity, SaaS platforms are highly customizable and significantly more cost-effective — all while providing businesses with the compliance experts you need.
If you host and manage your own ecommerce platform, you will need to ensure PCI compliance for your organization.
The first step is to determine the required compliance level. All merchants fall into one of four levels based upon credit or debit card transaction volume over a 12-month period.
Level 1 is the strictest in terms of DSS requirements, whereas Level 4 is the least severe:
Almost all small and medium-sized businesses (SMBs) classify as Level 3 or Level 4 merchants. However, this does not mean that they shouldn't maintain compliance with the same diligence as larger organizations.
In fact, it's a costly misconception encountered among SMBs who believe they do not need to worry about compliance because they don't have a significant enough volume of online or in-store sales.
Non-compliance is equally as costly as a breach, in which you are required to assess to the Level 1 standard for the next year, including an on-site audit.
PCI is not, in itself, a law. It’s a standard created by the major card brands, including Visa, MasterCard, Discover, AMEX and JCB.
The credit card companies typically do not directly manage payment processing functions themselves but rely on third-party processors — such as Chase Paymentech or Moneris Solutions — to handle the transactional services.
Merchants that do not comply with PCI DSS and are involved in a credit card breach may be subject to fines, card replacement costs or costly forensic audits.
The credit card companies, at their discretion, are the ones who administer fines to the merchant’s bank or similar financial institution, known as the acquirer, and can range between $5,000 – $500,000 per month for PCI compliance violations or breaches.
The bank/acquirer, in turn, passes the fines downstream until it eventually hits the merchant.
On top of fines originating from credit card companies, merchants may be subject to additional penalties from their bank.
Banks and payment processors may terminate their relationship with the merchant altogether or simply increase per-transaction processing fees and require the merchant to pay for the replacement of the credit cards that have been compromised in the originating beach.
What’s arguably even worse is that the bank or processor may require the merchant to move up a level in compliance if they are breached, making the adherence requirements all the more onerous on the merchant moving forward.
Penalties are not openly discussed nor widely publicized but can be catastrophic to a business.
It is important to be familiar with your credit card merchant account agreement(s), which should thoroughly outline your exposure.
As summarized in the next chapter, the full PCI DSS (data security standard) is a technical subject to cover. Most of the topics found deal with maintaining a professional data storage solution.
It includes information on securing an internal hosting network, adequately protecting the transmission of cardholder data, implementing strong access control measures, managing data protection policies, executing a vulnerability management program, and performing an external security audit.
It also provides detailed instructions on how to complete your own PCI Self-Assessment Questionnaire.
In short, if you’re an online-only merchant that does not have a physical retail store, but you accept, retain or transmit credit card data through your self-hosted ecommerce store — via open-source platforms such as OpenCart, ZenCart, Magento, etc. — you should familiarize yourself with the PCI Security DSS and understand your required compliance level.
Consider hiring a qualified external party who is well versed in PCI subject matter and can provide an objective opinion on achieving compliance for your organization specifically. PCI compliance is its own entire universe of complexity, and many organizations don’t have the internal resources qualified enough to delve into its bowels. We also recommend obtaining an independent adoption consultant along with a Qualified Security Assessor (or QSA). PSC is one such QSA partner who can provide detailed guidance on compliance and act as an independent auditor to test your internal security.
Any business that processes, stores or transmits information from a credit or debit card is required to be compliant with PCI DSS.
For ecommerce organizations that accept credit cards, noncompliance isn’t possible if only because credit card payments are critical for the success of an online business. The PCI DSS efforts to prevent credit card fraud are especially important for the online sphere, as a significant data breach could be crippling for any SMBs.
The following section highlights how PCI DSS compliance works with the three primary ecommerce platforms:
As open source platforms continue to grow in popularity, it is no surprise that open source security has begun to question. The software industry has failed to protect the public from data theft and breaches, which is why the PCI DSS has become so critical for organizations.
Open source issues have become so prevalent that PCI addressed it directly. In section 3.2b of the PCI Secure SLC document, the guidelines state:
Where open-source software components are utilized as part of the software, the assessor shall examine vendor evidence, including process documentation and assessment results to confirm these components are managed as follows:
Many Software as a Service (SaaS) platforms and providers are now involved in transmitting and storing credit or debit card data.
While they may not be processing the actual data themselves, the fact that it passes through their system is more than enough to fall under the careful eye of PCI DSS compliance.
To ensure PCI compliance, Saas platforms should look to prioritize the following:
SaaS platforms must take care to have direct and explicit information security policies and procedures in place. Organization is key here — you want to be able to point to the processes in place in the event of a data breach or security issue.
Similarly, documentation is critical for SaaS. PCI compliance demands in-depth policies and procedures. Organizations need to be able to log all of the information they have related to payment data, and it needs to be readily available for review.
The more documentation a business has, the fewer potential gray areas it will have to deal with.
Lastly, a significant part of PCI compliance for SaaS platforms is the assessment of risk for cloud computing providers. PCI DSS requires that SaaS providers perform an annual risk assessment to review for any potential threats.
Knowing what to watch out for is half of the battle. Every business faces a different set of challenges and threats, depending on industry, size or location. By setting yourself up for success, you can prevent broader security issues.
Headless platforms work primarily by separating the frontend storefront from the backend commerce services.
PCI compliance comes into play in the connection of the frontend with the backend, particularly in regards to card payment. If a customer enters the wrong credit card information at the frontend, then the backend should reject the transaction.
What the PCI regulations ask in an instance like this is, instead of triggering a specific message on why the transaction failed, the frontend should create a general message about invalid information.
Why is that? If the goal is to prevent fraud ultimately, businesses should do their best to lessen the chance of fraud whenever possible. Instead of giving fraudulent customers an area in which to make an educated guess, you're simply making sure they're aware of an issue.
Data breaches and credit card fraud can ruin a business' bottom line and reputation. Businesses can set themselves up for success and prevent potential risk by ensuring the front-end and backend are as harmonious as possible.
The PCI DSS contains common-sense general data security best practices for any system administration team used to hosting sensitive corporate information in a modern, secure network environment.
The trouble in reaching compliance begins when an organization does not have experienced enough internal IT/IS departments. Unfortunately, it can discover that their internal hosting environment is wildly insecure and susceptible to internal snooping by their staff or wide open to outside intrusion.
Every organization aiming to achieve PCI compliance begins in the same place.
There are three steps in the journey to adhering to the PCI DSS and becoming compliant:
Perform an audit to identify the cardholder data you are responsible for, take an inventory of your IT assets and business processes for payment card processing and analyze them for vulnerabilities that could expose sensitive cardholder data.
Fix the vulnerabilities you discover in priority sequences. Ideally, move away from storing cardholder data at all unless you need to. Many organizations store cardholder data within their homegrown ecommerce platforms after taking a one-off guest checkout order with no intention of using the information again. In this case, why hold onto it at all?
Only a merchant looking to set up recurring billing may need to retain cardholder data themselves. We’ve often found that B2C ecommerce merchants typically don’t need to support recurring billing profiles.
Wherever and whenever cardholder data can be stored by a qualified external body instead of your organization is ideal because nothing will help reach immediate PCI compliance more quickly than not storing or transmitting cardholder data at all.
Compile and submit required remediation validation records if applicable, and submit compliance reports to the acquiring bank and card brands — i.e., Visa, Mastercard, Amex, etc. — with which you do business.
If you are a Level 3 or Level 4 merchant, the PCI DSS provides you the option of doing an internal assessment, whereby a qualified staff member or corporate officer from your organization can perform their own audit and sign-off to produce a formal PCI DSS Attestation of Compliance package indicating such.
The first steps are to determine your required compliance level and then download and review the appropriate Self-Assessment Questionnaire (SAQ) found on the PCI SSC Website.
There are different SAQs for each merchant level and additional related DSS Attestation of Compliance forms for each level.
Before you venture down this path and attempt to download your SAQ and get started, you’ll need first to digest a six-page document to figure out which SAQ form to use in the first place.
While reading, you can refer to the lengthy PCI glossary of acronyms and technical jargon related to the subject.
According to the PCI SSC themselves, the easiest thing to do here is to contact your merchant bank and have them help you identify which specific documents you need to use.
This is an essential step, as they will often point out deviances in the standard PCI DSS they feel may apply in your case.
Level 3 merchants require quarterly external vulnerability scans by an ASV (Approved Scan Vendor). A list of ASVs can be found here and include such companies as Cisco Systems Inc, Alert Logic, Inc and Backbone Security, Inc.
Completing a self-assessment questionnaire for Level 3 and Level 4 merchants is based upon the honor system, much like completing your income tax return.
It’s tempting for organizations to guess their way through some answers or outright fabricate them to avoid the human and physical resource expenditures required to correct vulnerabilities. Many frankly don’t understand some of the items on the SAQ, to begin with.
That said, don’t be dishonest or misrepresent information on the SAQ. If you have a data security breach and your documents come under scrutiny, you can be fined heavily, and, in the worst case, your merchant account(s) can be dropped by your bank/financial institution.
The SAQ is a relatively short document (i.e., five or six pages long) and can itself be completed in a number of hours by someone qualified within your organization.
The work getting to that point comes into play when attempting to answer the SAQ questions truthfully and thoroughly and in a manner that will achieve compliance.
In so doing, an organization will doubtlessly encounter some significant technical challenges.
Below is a quick outline of what you can expect:.
Even if credit card data passes through your self-hosted (i.e., non-SaaS) ecommerce platform, you are still on the hook for ensuring that any related servers you control — be it your database server, PoS system software, credit card processing terminal, utility server or internet application server — are sufficiently secure and compliant.
Each server that cardholder data is stored inside or transmitted through is termed a cardholder data environment (CDE) and requires:
Physical servers need to be continually patched against newly discovered security vulnerabilities. Consider various security exploits that have arisen recently, such as HEARTBLEED, POODLE and Logjam.
Transport layer security (TLS) — sometimes referred to as SSL – is the underlying encryption protocol for secure data transmission over the Internet. It is the “S” in HTTPS. Your web application or ecommerce platform that is processing credit or debit cards also needs to be secured against client-side (i.e., web browser) code exploits such as XSS and SQL Injection Attacks.
On average, our experienced systems administration team will spend three to four business days securing a single server and preparing the appropriate documentation for a Level 3 or Level 4 merchant.
When factoring in time and the merchant’s staffing resources, the costs for doing so can be significant.
Merchants attempting to reach PCI compliance themselves without support from an outside partner and are already themselves adept at dealing with data security subject matter, can
expect to spend upward of 3-4 weeks performing the following tasks:
For complex undertakings involving more than one onsite data center and where a merchant is capturing and retaining cardholder data, budget at least six weeks in your project plan and estimate extensive costs to reach compliance.
The above estimate factors some time for multiple staff within your organization that usually involves a multidisciplinary group of:
It also considers some budget for outside consultant/auditor fees and provision to hire a third-party Qualified Security Assessor.
Note that our estimate does not factor in any additional costs related to purchasing new server racks, upgrading computer systems, adding new software licenses and installing access control systems — such as staff ID card systems — or any other physical expenses that may be required to achieve compliance.
PCI DSS compliance can be a hassle for companies, as it is difficult and time-consuming. However, PCI compliance is ensured with the customer in mind, giving you peace of mind and keeping your business free from data breaches and violations.
If PCI compliance benefits won’t convince some companies, then the potential risks will do the trick. Non-compliance can lead to many different consequences, including:
PCI non-compliance can result in significant monetary fines, ranging from $5,000 to $500,000 per month by various credit card companies. The penalties depend on the volume of clients and transactions, and which level of PCI compliance a company should be on.
These fines are referred to simply as “PCI non-compliance fees.”
If a company decides to remain PCI non-compliant, there is a significant chance that they won’t be able to use credit cards for any payments within their system. For an online or ecommerce-based organization, that could be a death knell.
If a company is suspected of non-compliance, or if a company is dealing with alleged breaches in their security system, a Common Point of purchase (CPP) notice could be issued.
What this means is that a company will have a limited amount of time to resolve their credit issues and compliance, all while being reviewed by a PCI investigator.
A weak or non-compliant security system is a prime target for online fraud, opening up your company and customers to potentially stolen payment data and personal information.
While PCI DSS compliance does not prevent data breaches, companies that are compliant and suffer a data breach face significantly lower fines than if they were non-compliant.
According to a study by the Ponemon Institute, the average cost of a breach is $150 per record. For larger companies, that can lead to brutal, debilitating fines.
The key difference between PCI DSS compliance and privacy regulations such as GDPR is that PCI’s primary focus is on security concerns, whereas GDPRO focuses on privacy concerns.
Where the two interact is with data breaches. Anytime a cardholder or customer’s data is exposed, it is considered a breach of both PCI DSS and GDPR.
In the case of a data breach, instead of simply receiving a fine from PCI or GDPR, companies under GDPR could be facing significant penalties from both organizations.
A company’s ecommerce PCI compliance level is determined by their number of transactions processed annually.
Organizations must know what their level is and what can happen due to a data breach. If a merchant suffers a data breach, that can cause them to be escalated to a higher level.
The PCI Compliance levels are organized into the following four tiers:
Level 1 merchants include:
Merchants who are considered Level 1 must:
Level 2 merchants include:
Merchants who are considered Level 2 must:
Level 3 merchants include:
Merchants who are considered Level 3 must:
Level 4 merchants include:
Merchants who are considered Level 4 must:
You can acquire ecommerce software in different ways:
Each approach strikes a different balance between your costs, benefits and ecommerce PCI risks and workload. The table sums up the highlights, and the following sections discuss each option in more detail.
Commercial software requires you to buy and maintain your hardware, plus shell out for a commercial software license and annual support.
The ecommerce software might be PCI-compliant out of the box, or you could have lots of work getting there. Any extra support you require from the vendor for PCI will likely cost extra.
This option could work for you if your company chooses to:
The drawbacks here are the high costs of hardware, software and support — plus the unknown burden of handling some of your own PCI compliance.
This option is a lot like writing your own code — you still pay for your hardware, but you avoid paying any software license fee.
You have to assemble, compile, install and tweak your software. Just as for PCI, this can quickly turn into a money pit. Open source is a black box where no one really knows what’s happening.
The problem with open source is that you’re not buying from any vendor, so there’s no one to fall back on for help — whether support or even a phone number to call. Even worse, the PCI auditor you work with may not like something about the platform itself.
In that case, you’re stuck.
You may have to document every step of your process in painful detail. That means holding meetings, analyzing code, sketching flowcharts, writing reports. Potentially weeks of effort that can outweigh any savings you gained from open source.
The DIY option could work if your company can afford to:
Using open-source software means you are responsible for 100% of your PCI compliance — not to mention your store’s uptime.
Software running as a service is accessed through the web, running on hardware maintained in a secure data center by your service provider.
If you want to save money and can’t spare a lot of staff to develop PCI policies and write reports, consider using a hosted ecommerce service such as BigCommerce.
This way, you can forget about fiddling with ecommerce hardware and software, pay one monthly fee to cover your ecommerce platform and remain PCI-compliant with a minimum of time and expense.
An important consideration when selecting this option, however, is that you will still be required to complete a self-assessment questionnaire (SAQ) as a Level 2-4 merchant and an ROC (i.e., report on compliance, also synonymous with Attestation of Compliance) if you are a Level 1 merchant.
Therefore, the work in documenting and reporting on a quality SaaS ecommerce platform regardless of your compliance level is much less involved in terms of cost and risk than the other two options presented.
The SaaS option will work for you if your company:
With lower costs, less risk and fewer PCI hassles, this option is the chosen path for many online stores.
Again, this is only applicable to your IT team if you choose not to go with a SaaS solution. If you use an open-source or custom-built ecommerce platform, your IT team will need to go through the following checklist annually.
We’ve broken the checklist down below based on the PCI requirement.
Maintaining requirement for 1:
Maintaining requirement for 2:
Maintaining requirement for 3:
Maintaining requirement for 4:
Maintaining requirement for 5:
Maintaining requirement for 6:
Maintaining requirement for 7:
Maintaining requirement for 8:
Maintaining requirement for 9:
Maintaining requirement for 10:
Maintaining requirement for 11:
Maintaining requirement for 12:
As if achieving PCI compliance wasn’t complex enough on its own, maintaining compliance year-over-year and keeping up with ever-evolving nuances to PCS data security standards (DSS) has proven itself a perpetual expense for any organization.
The latest PCI DSS standard 4.0 — released in Q1 2022 — defines a number of changes to previously accepted rules and regulations on various PCI subjects, touching upon both documentation requirements and technical adjustments to the physical hosting environment (CDE) itself.
This means that self-hosted merchants will be expected to manage lists of future change requests and down-the-road migration plans that will keep your technical teams very busy ad infinitum..
In short, maintaining compliance is an ongoing process involving all of the above and quarterly vulnerability scans and completing a new SAQ and Attestation of Compliance each year.
If your organization is presently at PCI compliance Level 3 and your credit card transaction volume is trending upwards at a rate of 20% or more annually, consider hiring a QSA and having a formal external security audit done every year, even if your bank doesn't require it.
In this manner, your team won't be flanked by a last-minute crunch to get it done, resulting in overstatements, omissions and increased third-party auditing costs. You'll also proactively position your organization for an easy transition upward to a higher compliance level at a later time.
PCI DSS compliance is not easy, nor is it simple. However, it is necessary, and companies that can understand what it is will have a better chance of preventing future data breaches, maintaining their bottom line, and most importantly, keeping their customer's information safe and secure.
Any business that accepts or uses credit cards for transactions, or processes, stores and transmits credit card data must be PCI compliant. PCI compliance helps to ensure that online transactions are secure against data breaches or identity theft.
The failure to be PCI compliant can result in significant fines and a drop in your business reputation.
While PCI compliance may seem daunting, considering its strict regulatory requirements and rules, it is more simple than it may appear.
What PCI compliance primarily calls for is quality, basic security for customer information. With the help of experts like BigCommerce, protecting your customer data can become a cinch and something second nature.
By using this guide and understanding what exactly PCI compliance entails, businesses can get ahead of any potential issues.
PCI DSS is a security standard, not a law or piece of written legislation.
That doesn’t mean that it shouldn’t be followed. Because compliance with PCI is mandated by the major credit card companies — including Visa, Mastercard, etc. — as well as certain banks, non-compliance can lock organizations out of significant business.
If your business handles, stores or uses credit card numbers and information, then you will at some point need to be certified by a qualified auditor. If you use PCI-compliant payment applications like Stripe or PayPal, you may not have to undergo such a rigorous process. To determine if you need to hire a PCI-certified professional to review your information, you should complete the Self-Assessment Questionnaire.