This guide has been written to try and make sense of one of the most confusing topics for anyone with an ecommerce website or online shop. It’s aimed specifically at Small to Medium sized businesses and in particular customers using ekmPowershop ecommerce software.
PCI DSS Compliance is a big hurdle for most online businesses, it is a very confusing topic and the banks and local business organisations have not helped to make it easily understandable by most people.
In this guide we will try and explain what PCI is, why you need it and how to obtain it.
What is PCI DSS Compliance?
Okay let’s get the official answer out of the way...
"The Payment Card Industry Data Security Standard (or PCI DSS) is a worldwide security standard for any organisation which hold, process or transmit credit card information."
So basically PCI DSS is a security standard, something which all online businesses need to meet. In a way it’s similar to other requirements for businesses such as Employment Law or the Data Protection Act except it isn’t a law, you’re not doing anything illegal by not complying.
Why do we need a security standard?
Simple answer... to protect card holder’s data. How would you feel if you walked into a shop, gave your credit card details over and they just wrote them down and left them in a pile next to the door? Anyone could pick up your card data... it’s hardly secure.
Obviously you wouldn’t shop there and you wouldn’t physically let them write down your card data and store it in that way, but with an online website how do you know what happens with your card data once you have typed it in?
Some shops have (and still do) just email those card details to a standard (unprotected) email account, some decide it’s a good idea to print off the orders with your credit card data for all to see, some decide to save your card data un-encrypted on a web server ready for any hacker to come along and steal.
See why we need a security standard? Or at least a “best practice” document?
Why do I need to be PCI Compliant?
Because your merchant services provider (which ever bank you use to ultimately process your credit cards) will insist you are PCI compliant, and if you’re not they can disable your merchant account and stop you taking payments.
How badly will PCI Compliance affect me?
This depends on your answer to the following question...
Question: When a website customer physically types in and enters their credit card details are they on your website hosting server or a 3rd party payment gateway server?
Answer A: They are on a 3rd party payment gateway site or they are using a iFrame (iFrames are an easy way of including one html page in another) integration to my payment gateway site
If you’re using a 3rd party payment gateway which is PCI compliant such as PayPal, SagePay, WorldPay, HSBC Secure ePayments, Barclays ePDQ for example, then obtaining PCI Compliance is easy. This is because your ecommerce website never actually see's the credit card details, and is therefore out of the scope of PCI. All you will need to do is fill in a simple self assessment questionnaire which covers topics such as your security in your office or shop (eg: do you change your windows password regularly?).
Answer B: They are on my website
If the customer is physically on your website when they enter their card details then you are unfortunately in the scope for PCI. I would check with your website or online shop provider to clarify 100% that you’re not using an iFrame integration (as it can be hard to tell sometimes), as this would mean your okay as you wouldn’t be in the scope for PCI. As your website is in the scope for PCI it will need to be scanned and become fully PCI compliant before you yourself can become PCI compliant.
How do I get PCI Compliant?
The easiest and cheapest way is to ensure you're using a PCI compliant payment gatewway to actually take and process your credit card details. If you want to still take credit card details on your own website then you will need to spend some money on getting certified. The more transactions you process the more involved the certification is.
Do I need a PCI Compliance and/or ASV Scan?
If you're using a PCI compliant payment gateway and so no customers physically enters any card details on your website and instead enters it on your payment gateways website then the answer is NO.
However many banks still don’t understand the rules and will insist you have a scan done, usually by a company they recommend/are associated with. As long as you’re not physically taking any card details on YOUR website then you do not need a PCI or ASV scan regardless to what some call centre worker on the other side of the world says.
All you will need is to complete a SAQ (Self Assessment Questionnaire) which you can download directly from the PCI Security Standards website at https://www.pcisecuritystandards.org/saq/index.shtml.
How do I satisfy the banks?
Just use a PCI compliant 3rd party payment gateway and then simply fill in the Self Assessment Questionnaire which you can download at https://www.pcisecuritystandards.org/saq/index.shtml. Once you have filled it in simply email over the signed document along with the details of the payment gateway you are using.
If you would like to read more on PCI DSS Compliance you’re best going to the official website at https://www.pcisecuritystandards.org/index.shtml. It’s got loads of information on there, however it is very cryptic.