“PCI Compliance” generally refers to the Payment Card Industry Data Security Standard (PCI DSS), a set of regulations created to ensure companies safely process, transmit, and store credit card information. PCI security standards were launched in 2006 and have become an integral part of developing a successful website.
Data security standards apply to any organization that accepts, stores, or transmits cardholder data, regardless of size or number of transactions. However, there are varying levels of standards depending on where and how you use or store cardholder data.
E-commerce website owners must determine the “self-assessment questionnaire” (SAQ) level that applies and then successfully implement the applicable PCI-DSS requirements for that level. Depending on your card processor/gateway, they may utilize a third-party approved scanning vendor (ASV) to guide you through this process. Even if your processor does not require this, it does not mean you are exempt from compliance.
Completing the appropriate SAQ demonstrates you’re taking the security measures necessary to keep cardholders data safe. The vast majority of e-commerce sites should make it a goal to qualify for SAQ A or SAQ A-EP. These designations mean that part or all of cardholder data functions are outsourced. While your business will still have to work through some security issues to be compliant, they’re not as comprehensive as other SAQs.
On the other hand, if your business falls into SAQ D, you’ll need to implement and maintain a much more onerous set of measures. Modern payment gateways all offer A/A-EP compatible card processing options to help you avoid SAQ D. If it’s been years since you implemented your payment solution or your site “sees” raw card numbers at any point, you should make it a goal to upgrade to a more secure process. We can help.
In addition to meeting security standards and regulations, maintaining PCI compliance provides various benefits, including:
PCI non-compliance can lead to lawsuits, canceled accounts, insurance claims, government fines, and erode the trust that customers and partners place in your business.
Employing encryption is important (and most modern web browsers will warn users if you’re not) but serving your web site with TLS (often called “SSL”) encryption is not sufficient in and of itself to satisfy the PCI DSS standard at any SAQ level.
Another common misconception is that receiving but not storing card data excludes a site from the more stringent SAQ D requirements. If your web application ever sees a full card number – even if immediately sent to a third party without storage – this exposes you to significant risk and compliance requirements.
Understanding your SAQ level is crucial for mitigating risk and helping your business succeed. If you’re not sure what SAQ level applies to your business, or need help assessing your PCI Compliance, contact us today.
Tony Diaz is Fruition’s Service Desk Lead. Tony is Fruition’s main point of contact for web administration work, and he applies his customer service background to grow the Fruition Service Desk. In his free time, you can find him walking and jogging through Denver’s best parks.
President & Founder, Tru Family Dental
Marketing, Dependable Cleaners
President & Founder, Family Travel Association