Everyone knows that e-commerce transactions are on the rise. Unfortunately so is credit card fraud. To counter threats to sensitive credit card information, the five major credit card companies Visa, Mastercard, Amex, Discover and JCB aligned their individual policies in 2004 in the form of the Payment Card Industry Data Security Standard (PCI DSS). The PCI standards impose strict guidelines on what store vendors need to do in order to accept, process and retain credit card information. Non-PCI compliant vendors are exposed to fines or even loss of their merchant account rights. So it is important for all business owners accepting credit cards to understand their obligations.
What is my PCI merchant level ?
PCI consists of 4 merchant levels. Most small and medium businesses (less than 1 million credit card transactions per year) will fall into either Level 4 (less than 20k transactions p. year) or Level 3 (20k to 1M transactions p. year) which have the following compliance requirements:
- Level 4 – An annual Self Assessment Questionnaire (SAQ) plus a quarterly network vulnerability scan by an Approved Scanning Vendor.
- Level 3 – Remote assessment and compliance validation, monthly network vulnerability scanning, organisational validated SSL certificate.
HOWEVER vendors who have been caught with a data security breach will be automatically bumped up to the highest compliance level, which means:
- Level 1 – Annual on site review by a Qualified Security Assessor plus a quarterly network security scan by an Approved Scanning Vendor.
Do I need to be PCI compliant ?
Even if you don’t have a website, you will still need to be PCI compliant in order to take credit card payments in your offline business. PCI covers much more than just internet security. In fact there are twelve PCI requirements which include all aspects of protecting cardholder data. For example if you have cardholder data stored in such a way that janitorial or other service staff can physically access them, you are probably in breach.
What is PA-DSS ?
Let’s assume for the moment that you are an offline vendor accepting credit cards and faithfully complying with your PCI responsibilities. You decide that it would be nice to make some online revenue via an e-commerce site. Welcome to the world of the Payment Application Data Security Standard (PA-DSS). Basically the PA-DSS is an additional protocol issued by the same five credit card companies which states a certain level of data protection which your payment application (shopping cart) must meet. If you are using a non-PA-DSS approved system, your whole PCI compliance may now be deemed as compromised.
Which e-commerce systems are PA-DSS compliant ?
So far the news is not good. As of writing only a handful of commercial shopping cart systems are PA-DSS certified and none of the free open source systems are certified. In fact because of the nature of the way open source solutions are developed and deployed, there are significant challenges for such systems to ever become PA-DSS certified. According to one industry expert “PA-DSS certified open source solutions will be the rarity not the rule”.
Custom building a PA-DSS compliant payment application system is probably prohibitive for most small to medium businesses since it would need to go through it’s own unique certification. Even choosing one of the PA-DSS approved commercial systems would most likely need a dedicated web server to meet the more general PCI server security requirements.
Conclusion
As you can see, if you are hell bent on accepting credit card payments directly on your site, the costs of doing so start to rack up. So what are the options? Well the simplest option for most online vendors (and the one we feel that will become the norm for most small operators) is to outsource the whole payment process to an offsite gateway like PayPal Standard or 2Checkout. This way the credit card details never touch your site, you don’t need to worry about PA-DSS and your PCI burden becomes substantially easier or even eliminated.
Also, if you do business in a country like Japan , why not offer some alternatives to credit cards such as bank payment transfer and cash on delivery if such payment methods are commonplace.
Learn more:
What is PCI scanning ?
So you thought PCI was a mess ?
PCI Compliance Round 2
Meeting the Payment Card Industry Security Standard
Open Source PA-DSS Certification
PAYPAL White Paper – What every PayPal developer should know (PDF download)
PCI Glossary
“Self Assessment Questionaire” – An annual report of what steps you are undertaking for credit card data security. There are 5 different SAQ validation types and 4 different self assessment forms (A, B, C and D). Which assessment form you need to complete depends on how you process credit cards and what type of card payment data, if any, you retain.
“Approved Scanning Vendor” – A company authorized by the PCI Security Standards Council to remotely test your business for external internet security vulnerabilities.
“Qualified Security Assessor” – Basically an auditor who will conduct a face to face investigation of whether you are meeting the PCI guidelines.
Disclaimer: Readers should do their own research into topics presented here before making any business decisions.