PCI Compliance for E-Commerce Stores
The world made drastic changes this year as a direct result of the Covid -19 crisis. As a result, people are working and shopping from home more than ever before – and PCI compliance for e-commerce stores is having it’s day in the sun.
As a direct result of society’s more digital lifestyle, there’s been a serious uptick in online fraud and cyberattacks. Fraudsters are exploiting the shift and merchants’ weaknesses in security. One of the best ways to combat fraud is to address those weaknesses first thing by maintaining PCI Compliance.
Last week we wrote about fighting eCommerce fraud and talked about ways merchants should increase their fraud-fighting strategies. One of the easiest places to start is by doing and maintaining your PCI compliance.
Therefore, since it’s the best first step, this week we’ll explain what PCI Compliance is and why it’s important. In addition, we’ll break down the security standards merchants need to follow and layout the best way to become PCI Compliant.
What is PCI DSS Compliance?
To understand what PCI DSS Compliance is, we first need to understand who the PCI is, and what they do.
PCI stands for Payment Card Industry and PCI SSC refers to the PCI Security Standards Council. PCI SCC is a global organization that ‘maintains, evolves, and promotes Payment Card Industry standards for the safety of cardholder data”. The PCI SSC’s goal is to help merchants understand and implement standards for security policies in their organizations.
To do this, they created a complete set of standards for security in payment transactions. This set of security standards is referred to as PCI DSS – Data Security Standards. They set the technical and operational requirements for merchants who accept credit card payments. The PCI DSS was established to help protect payment systems from breaches and theft of cardholder data.
Therefore, PCI DSS Compliance is adhering to those set standards and attesting to such to the PCI each year.
Why is PCI Compliance for E-Commerce Stores so Important?
Without adhering to increased security standards businesses and their customers are vulnerable to cyber fraud attacks. Fraudsters are opportunists. They go where the money goes and will exploit any situation that represents itself. With our recent switch to remote working and an increase in online shopping, they have the perfect situation.
One of the best examples of this is the recent increase in online skimming. Over just one month, since stay at home orders began in March, there was a marked increase in credit card skimming on eCommerce websites.
This type of attack allows criminals to infect eCommerce websites with malicious code. The code “skims” credit card information during a transaction. This gives the fraudster all of the information they need. They have access to the customer’s personal information such as name, address, phone number, and email address. It will also skim all payment information such as card number and security code as well as login and password. Most of the time fraudsters only have certain pieces of information, that is why this attack is so dangerous.
Skimming is also very dangerous because it’s so hard to detect. And it’s not just eCommerce sites that are targeted. Oftentimes, the malicious code is embedded into third-party software. Merchants may not even realize the threat they take on from the third-party software company.
Who needs to comply with PCI DSS?
Everyone accepting credit card payments.
There is no federal law in place requiring merchants to maintain compliance with the PCI DS. But, there are a few states that have written PCI compliance into their state laws for doing business in that state. However, compliance with PCI Data Security Standards is required by all major card brands. So, if you’re accepting credit cards, you must be PCI DSS compliant.
According to the major card brands “everyone storing, processing or transmitting cardholder information is required to follow the Payment Card Industry Data Security Standard (PCI DSS)”.
Don’t think you can fly under the radar just because you are small. Small businesses often think they aren’t a target for cybercriminals. But they’re actually the most targeted of all. Especially small businesses that don’t have effective security protocols in place.
Large businesses and corporations often have a larger staff and even whole IT departments to handle security. But small business owners don’t have the manpower or resources, especially now with the limitations of the Covid shut orders.
Fraudsters target small businesses more often specifically due to that reason. According to a recent Verizon data breach report, small businesses are targeted the most and experience the greatest share of all cyberattacks at 43%.
The PCI Security Standards Council states combating fraud begins with awareness of the threat. Then taking the best approach to mitigating the threat by creating layered security measures. This includes constant updates of the latest security standards and regular monitoring and patching of software.
What are the PCI Data Security Standards?
PCI-DSS “consists of 12 basic requirements grouped in 6 categories for establishing and maintaining a reliable and secure payment processing environment.”
The PCI data security council has created 6 “milestones” or categories that contain a total of 12 PCI DSS requirements, including sub-requirements, that must be completed to be considered PCI compliant.
Here are the PCI-DSS 6 milestones with their corresponding 12 requirements:
Steps to PCI Compliance for E-Commerce Stores
Start with your merchant service provider.
The first and most important step is to make sure your merchant service provider is security-minded. They should provide you with a solution that adheres to PCI DSS requirements. Our secure gateway is 100% PCI Compliant. This way many of the requirements for data security are automatically covered with your secure payment solution. Of course, there are additional security measures on the merchant’s end that also must be adhered to. But, this takes a lot of headache out of maintaining the annual PCI Compliance.
Figure out your business security level.
The PCI security standards council has created four different compliance levels based on the number of transactions a merchant processes. Level 4 is the lowest security level and includes all businesses with less than 20k transactions annually. Therefore, any business that processes a credit card transaction is a Level 4 business. Alternately, Level 1 is the highest security level for businesses with over 6million transactions.
Therefore, merchants must find out which Security Level their business falls in to make sure they comply with the correct standards. Once you determine your business’s compliance level, you can complete the steps necessary to become compliant.
For most businesses, this will include:
- Must complete a yearly self-assessment called the PCI SSC SAQ (security assessment Questionnaire).
- Perform quarterly network scans by an approved scanning vendor.
- Fill out an Attestation of compliance form and submit documentation.
- *Businesses that fall into a Level 1 compliance must also hire a Qualified Security Assessor (QSA) to complete an Annual Report on Compliance (ROC).
Complete your PCI SSC yearly Self Assessment Questionnaire.
The PCI Self Assessment Questionnaire (SAQ) will ask questions based on the 12 requirements (and their sub-requirements) to determine if your business is set up to comply with the standards. The questions are meant to help merchants in self-evaluating their compliance with the PCI DSS.
Again, your merchant account provider’s secure solution is equipped with almost all of the 12 data security requirements. Merchants fill out the questionnaire to make sure their security protocols adhere to the standards.
Complete ASV Quarterly Network Scans.
Every quarter merchants must conduct an external vulnerability security scan. The scan performs a comprehensive analysis of your system to reveal any points of vulnerability. The results will provide insights into the security of critical information.
Keep in mind your scan must be with a third party scanning vendor that is approved by the PCI Security Standards Council.
PCI Compliance requires that this is done through an Approved Scanning Vendor (ASV) to validate adherence with the external scanning requirements.
The PCI SSC maintains a complete list of approved vendors for your convenience here.
Complete your Attestation of Compliance.
Lastly, merchants must fill out an Attestation of Compliance or AOC. This is the form used to attest to the results of your PCI DSS assessment. It will validate to the PCI council that you have complied with all steps for PCI Compliance for E-Commerce Stores
Final Step- Submit PCI Compliance Requirements.
Once merchants have completed the SAQ and filled out the Attestation of Compliance they must submit their forms.
Merchants submit the SAQ and AOC along with quarterly scan reports to their acquiring bank and the card brands.
Risk management is an ongoing process. But, we provide full support to help make the process as painless as possible.