PCI Compliance in E-Commerce comes from the Payment Card Industry Data Security Standard (PCI DSS), which is a security standard created by the Payment Card Industry Security Standards Council. This standard was formed to improve processes and controls in place to protect cardholder data. The main goal of the PCI DSS is to reduce debit and credit card data loss.
In this article we outline the following:
- Founding elements of PCI compliance
- Compliance criteria
- Changes coming to the standard
- PCI Levels
What Is PCI Compliance?
Payment card industry (PCI) compliance is required by credit card companies to aid in the secure conduct of financial transactions. The PCI Security Standards Council is responsible for developing and maintaining standards for PCI compliance.
PCI DSS applies to all businesses that handle, store, or transmit any personal or payment information from a credit or debit card. All merchants that accept credit cards as payment on their site are obligated to assess their compliance on an annual basis. The amount of assessment required varies, and is dependent on a given platform's transaction volume. For example, smaller merchants with less transactions may be able to review their compliance internally. Larger merchants, or those that process more than six million transactions per year, will likely require the assistance of a Qualified Security Assessor (QSA).
Why Does PCI Compliance Matter?
PCI compliance is a difficult subject to grasp for some. However, the PCI Security Standards Council's guidelines, called the Payment Card Industry Data Security Standard (PCI DSS), set forth the overall aims in simple terms. Meeting the 12 fundamental criteria that back them makes it more difficult for bad actors to acquire critical payment data and therefore are an effective measure against fraud and misuse.
How Is PCI Compliance Enforced for platforms?
The PCI DSS is a security standard, not a statute in law. PCI compliance is enforced by acquiring banks and processors. Companies must comply with it as directed by their contracts with card brands (Visa, MasterCard, etc.) and financial institutions that actually handle their payment processing. In general, PCI compliance is a key element of any credit card company's security policy. It is required by most credit card issuers, as well as portions of credit card network terms.
PCI DSS compliance is essential to protecting an organization's IT infrastructure and its data. Failure to comply means facing steep financial penalties, damage to company reputation, loss of customer confidence, and a likely drop in business revenue.
PCI Compliance Criteria for e-commerce platforms
The PCI DSS is a comprehensive set of guidelines that help businesses protect their payment data. The 12 fundamental criteria laid out in the standard provide a strong foundation for good security practices. Meeting these criteria makes it more difficult for criminals to steal your payment data.
The following are the key concepts within the existing guidelines.
1. Set up and maintain a firewall
A firewall is a piece of hardware or software that separates your internal network from the Internet. It helps protect your systems from unauthorized access and theft of data. Your systems must have a properly configured firewall to be PCI compliant.
2. Employ strong password practices
Passwords are the first line of defense against unauthorized access to your systems. They should be strong, unique, and changed regularly.
3. Secure stored cardholder data
Stored cardholder data is any data that is not actively being processed. It must be protected from unauthorized access, use, or alteration.
4. Encrypt the transmission of cardholder data
Transmission of cardholder data should be encrypted using strong cryptography. This helps protect the data from being intercepted by unauthorized individuals.
5. Use quality antivirus software
Antivirus software helps protect your systems from malicious software (malware) that can steal information or damage your systems. You must use up-to-date antivirus software to be PCI compliant.
6. Build and maintain secure systems and applications
Secure systems and applications should protect your systems from unauthorized access to cardholder data. They should also use strong cryptography and be tested regularly.
7. Give access to data only when truly necessary
Access to cardholder data should be restricted to authorized individuals only. These individuals should have a need to know the information in order to do their jobs.
8. Assign a distinct ID to each person who has access to cardholder information
Each individual who has access to cardholder data should be assigned a unique identification number. This helps ensure that only authorized individuals have access to the data and that interactions with it are trackable.
9. Physical access to cardholder data should be limited
Physical access to cardholder data should be restricted to authorized individuals only. This helps protect the data from being stolen or compromised.
10. Keep track of all access to network resources and cardholder data
You should track and monitor all access to your network resources and cardholder data. This will allow you to detect any possible compromise of your data.
11. Test security systems and procedures on a regular basis
You should regularly test your security systems and processes to ensure that they are effective. This helps protect systems from being at risk or ultimately compromised.
12. Maintain a policy that details the security measures for staff and contractors
All employees and contractors should be made aware of the importance of information security. A written policy will help them understand their role in protecting cardholder data.
The above concepts are what comprise the current guidelines of PCI DSS. However, this is not all there is to compliance.
If you are looking to become PCI compliant, it is important to understand that meeting the requirements is not a one-time event. The PCI DSS is a living standard, and you must continually work to maintain compliance. This includes regularly testing your security systems and processes to ensure that they are effective. The PCI Security Standards Council also provides guidance on how to implement these concepts into your business.
2023 Update: The Next Version of PCI DSS is Here
The latest version, PCI DSS version 4.0, was released on March 31, 2022. According to current timelines set forth by the PCI SSC, PCI DSS v3.2.1 will be officially retired as of March 31, 2024, after which all entities required to comply with PCI DSS will need to be compliant with and assessed under PCI DSS v4.0. More information can be found here.
PCI Merchant Levels
If your organization can meet the 12 requirements, you should be on the right track towards becoming PCI compliant. However, it is important to note that each merchant has its own unique needs. This means that there may be additional steps you must take based on your specific situation.
In this context, the technical definition of a merchant is 'any entity that accepts payment cards with the logos of any of the five members of the Payment Card Industry Security Standards Council (PCI SSC) in return for goods or services. Every merchant who processes payments must adhere to the guidelines, however the level they are categorized within defines the exact parameters.
There are multiple PCI DSS Merchant Levels and various PCI DSS compliance criteria within each that merchants must be aware of. For example, if you are a large ecommerce merchant that processes more than six million Visa transactions per year, you must complete an Attestation of Compliance (AoC).