Payment Gateways and PCI DSS Compliance for E-Commerce Businesses
PCI DSS is a Payment Card Industry Security Standard, often referred to as PCI. This is a set of standards and requirements that merchants should aim to comply with if they will be accepting payment via card. If you have an eCommerce store, then that probably includes you.
While the law does not always require PCI compliance, it is nevertheless a very wise investment for a lot of companies and site owners. Most card service providers demand that you have it.
The objective of these standards is, of course, to help improve security and thereby protect the details of shoppers. Sellers that don’t comply can find themselves on the receiving end of hefty fines should their security be breached. For example, Heartland Payment recently incurred a huge 12.5 million USD in fines. Similarly, Enron had to pay a 225 million USD fee. Even Sony – a household name – lost 24 billion USD when customer payment information was leaked.
Companies and sellers need to think not only about the direct monetary cost but also the severe implications this can have for a company’s reputation. Security breaches are not a good reason to be in the news, and it could mean you never recover the losses.
For those reasons, eCommerce store owners must take the time now to ensure that they are PCI compliant. In this post, we’ll take a look at how to ensure you meet those standards.
PCI Compliance Levels
Depending on the nature of your business, you will likely need to meet one of the following levels of PCI compliance:
Level 1 is for companies that accept more than 6,000,000 Visa or MasterCard transactions each year and/or more than 2,500,000 American Express transactions. It’s also a requirement for those companies that have experienced a data compromise in the previous year – even if they serve far fewer customers. Finally, this is a requirement for merchants that handle credit card data or processing on behalf of other companies.
Level 2 is for slightly smaller businesses that handle between 1,000,000-6,000,000 Visa or MasterCard transactions, and/or 50,000-2,500,000 or more American Express Transactions.
Level 3 is for companies that handle 20,000 to 1,000,0000 Visa or MasterCard transactions each year, or 50,000 American Express transactions.
Finally, level 4 is for those companies handling 20,000 or fewer Visa or MasterCard transactions per year. Companies that use American Express do not need to use level 4.
A lot of small companies that only serve a small number of people will, therefore, fall into level 4. If you are an independent site owner, that likely includes you. Larger companies might fall into level 3 or 2. The biggest international businesses, however, might need level 1 compliance.
How to Become PCI Compliant
With all this in mind, then, how do you go about meeting the requirements to become PCI compliant?
If you are a Level 1 business, then you will need to hire an external auditor who will be able to verify your PCI DSS compliance. Those companies that fall into levels 2, 3, or 4, however, can self-assess the process.
This means getting the SAQ forms from the PCI Council to check your business against those requirements. There are seven different SAQ forms in total, but not all of these will be relevant to all companies. Ecommerce stores do not require payment cards to be physically present, and therefore, they only need three of the forms:
- SAQ A
- SAQ A-EP
- SAQ D
This form is specifically for merchants that do not require a physical card to be present. Likewise, it is for businesses that don’t store or process card data themselves – which includes most eCommerce stores.
This form is aimed at merchants that do serve payment form on their website but also outsource the processing to a third party. Whereas SAQ A companies might not even collect the data, SAQ A-EP companies will collect the data and then pass it on to those third parties.
This form is for “all other” e-commerce stores – the firms that don’t fit into any of the above criteria.
PCI Compliance for Sites Using PayPal and Other Payment Gateways
At this point, you might be wondering whether you need to be PCI compliant if you use PayPal. While it is true that PayPal itself is a Level 1 PayPal complaint, that doesn’t mean that you shouldn’t also consider becoming PCI compliant.
In this situation, PayPal is acting as a payment processor. They will be the ones storing, processing, and transmitting all the data that you collect. However, you are still the one collecting the data and still the one passing it on to PayPal. That means that you have the strong ability to affect the security of that transaction.
There are several different ways that you might use PayPal or a third party payment processor through your eCommerce store. You might, for instance, use a hosted payment page and redirect. That means you’ll send customers away from your site to pay.
Important note: Even though no data is being collected on your site, you will still fall into the category of SAQ A. Plus, there are many ways that you could still affect the outcome of the transaction – for example by using cookies, or accidentally sending customers to a different gateway. It is also your responsibility to ensure that the processing service is PCI compliant.
Another option is to use an iFrame. Here, the payment gateway is hosted externally but is still embedded into your page. This still requires an SAQ A form, but again, there are many ways that your environment could affect the outcome of the transaction.
Whatever the case, you will find that there is always a responsibility for you to attain PCI compliance. Doing so can protect the customer and your business. Not only will you avoid hefty fines from the security card companies, but you will also earn a better reputation and keep your business growing.