What you need to know about PCI Compliance

PCI compliance is a set of rules for how you can process credit card orders

PCI Compliance is the banks/visa’s standard for how merchants should securely process credit cards.  These days, credit card companies are forcing the banks to ensure their merchants are PCI compliant.

These rules apply to everyone that processes credit cards (not just online vendors but also people taking them over the phone/fax or via an EFTPOS terminal at the point of sale).

PCI compliance can be easily achieved by  using a DPS payment gateway.

On a website, the way to acheive PCI compliance is through the use of a payment gateway such as DPS.  DPS will process the credit card securely and confirm or deny that the transaction was successful to the website – this means the website never needs to store or process the credit card, which means there is essentially no risk of credit card information being stolen or lost. It also means that you, your staff, and contractors or service providers cannot access the card data. Doing this vastly decreases both your risk and the compliance costs of being PCI compliant

Why are the people interested in this now?

While these rules have been around for a long time, banks and credit card companies are taking them much more seriously these days, with the increase in credit card fraud that has come with the rise of the Internet. These days, the banks are insisting people will be PCI compliant before they will give them a credit card processing facility.

None of the banks actively check that existing customers are PCI compliant – there are no “PCI Police” that will tell you if you aren’t compliant.  What they generally do is get merchants to sign a contract that says they are compliant (generally you will have signed a document called an “Attestation of Compliance” although some banks simply have a release form saying they aren’t liable for anything) and then pursue you for liabilities under this contract should there be a breach.

Why you shouldn’t use offline credit card processing

Note that if you choose to process credit cards via other electronic means (eg by storing them in a website or by email) then you will likely need to conform to more onerous requirements to be PCI compliant.  Particularly if you take credit cards via these means and then store them in an internet-connected database or fileserver, or take them over email, you will find it difficult to be PCI compliant.  In this case, taking your credit card payments online through a payment gateway such as DPS will significantly decrease your risk and cost.

How does your e-commerce store become PCI Compliant?

If you are using DPS or another third-party payment gateway, it is quite simple

Inform your bank that you are using a payment gateway (DPS PxPay if they ask). Your bank will provide you with a self-assesment questionaire (called SAQ-A) which you must fill out and return to them.

If you were to use another method, it would very complex

• PCI compliance is specific to a merchant – even if the Zeald Website Solution provides the necessary security features to enable our clients to be PCI compliant, it is still up to the merchant to ensure their own company (and website) is PCI compliant.

• To become PCI compliant, you complete one of four different self-assessment questionnaires which your bank will provide, sign a document attesting that you have done so, (and in some cases get a third party network scan done to your systems, although this doesn’t apply if you’re using DPS), and submit this to your bank.

• The most draconian, SAQ-D, is one that essentially no SMB in New Zealand is likely to be able to meet.  This applies to people who store credit card data online.  This requires network scans and significant changes to your internal processes.  If you tell your bank you are using DPS, you should be able to avoid this.

What if I’m already PCI Compliant

There are four different “levels” of compliance, named according to the “Self-Assessment Questionaire” you have to fill out to meet it. (https://www.pcisecuritystandards.org/saq/instructions_dss.shtml)

These questionaires get progressively more complex, ie SAQ-A has a limited number of questions whereas SAQ-D is extremely complex.

• SAQ-A – If you only use a payment gateway such as DPS, where card numbers are not stored and you never even see them
• SAQ-B – If you use an EFTPOS terminal or other swipe machine, that’s not connected to the internet
• SAQ-C – If you use an EFTPOS terminal or point-of-sale system that is connected to the internet
• SAQ-D – if you take and store credit card numbers yourself (ie not completely outsourcing it to a payment gateway).  SAQ-D is very complex, and it requires you to have formal documented information security policies, regular penetration and vulnerability scanning, and other high-end corporate-level network systems.

If you already process credit cards on an eftpos terminal in your shop, you most likely have been asked to comply with at least SAQ-B, but it is unlikely that you would be fully compliant with SAQ-D.

Penalties for non-compliance

The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine on downstream till it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees.  Penalties are not openly discussed nor widely publicized, but they can be catastrophic to a small business.

See https://www.pcicomplianceguide.org/pci-faqs-2/#11 for more information on this.

Conclusion

As documented above,  PCI compliance is serious in nature and is here to stay.  Any business or person looking to transact credit card payments online are highly recommended to use a third party payment gateway to protect both themselves and their prospective customers who will be purchasing from their website.

Further reading

• https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml