You’re likely aware of the upswing in security breaches and hacker activity in the news lately. Many of these breaches result in a loss of customers’ personal or credit card information. In 2006, the five major credit card companies — American Express, Discover, JCB, MasterCard, and Visa — formed the PCI (Payment Card Industry) Security Standards Council, and have developed a set of guidelines (the Data Security Standard, or DSS) to improve the security of payment gateways and merchant websites. If you operate an online ecommerce store and you accept credit cards online as a form of payment, then you are required to follow these guidelines.
Different guidelines for different gateways
Before moving forward, it’s worth noting that each credit card company and individual payment gateways have their own security guidelines they require their merchants to follow. Check your payment gateway’s website or contact them directly to find out what you need to do to maintain compliance. In addition, some US states (Massachusetts, for example) have laws governing how personally identifiable information is transmitted and stored. The following are generalized rules for the DSS in particular, but there may be more you have to do to maintain compliance.
Transmission vs. storage
The specific DSS requirements focus on businesses that collect, transmit, and store credit card information. In all likelihood, your ecommerce store does not store credit card data, and it may not even collect or transmit it. This does not mean you can ignore PCI compliance! But it does reduce the scope of compliance. If you do not store credit card data at all, then you are probably only required to complete a self-assessment questionnaire (SAQ) on a regular basis.
Onsite vs. offsite
SAQ A is for merchants that use a third party to collect and process credit card data offsite. This means that the shopper is transferred to the third party’s website to input their credit card data and complete their purchase, and then is transferred back to your site after checkout is completed. For example, if you use PayPal Payments Standard, a fully hosted PCI compliant solution like Shopify, or an
iframe that loads a form hosted by your payment gateway, you would use SAQ A.
SAQ A-EP (enforceable starting January 2015) is very similar to SAQ A, but differs in how and where the credit card data is inputted by the shopper. If the form for collecting the credit card information is hosted by the merchant, but posts to the payment gateway (meaning, the data is sent directly to the gateway, instead of to the backend of your website), then you would use SAQ A-EP. As long as the form is fully hosted by a PCI compliant third party, you would use SAQ A.
SAQ C is for merchants that use a third party to process credit card data offsite, but collect the data onsite. This means that the shopper does not leave your website when submitting their credit card data, and your website passes the data to a payment gateway in the background for processing. PayPal Payments Pro users would use SAQ C.
You can read more about SAQs, what types are available, and which SAQ applies to your business in this document. In particular, if you have a call center that takes phone orders, you may have to use a different SAQ.
The risks of not being compliant
If a breach occurs and you were deemed not compliant at the time of the breach, then you can expect to be hit with massive fines from multiple different entities, not to mention lawsuits. IBM produced an infographic describing some of the risks: