Nothing strikes fear in the heart of online merchants quite like PCI DSS (the set of technical and operational requirements designed to protect cardholder data‚ put forth by the credit card networks (Visa, MasterCard, etc‚).
Do I have to get PCI certified?
If you accept credit cards from your customers then, yes.
Many gateways and online payment processing solutions will claim their drop-in credit card widgets exclude you from PCI compliance or make you PCI compliant.
What these type of solutions do, including Spreedly's, is reduce your compliance burden. You still have to certify, but can often do so with much less effort than if you were processing and storing the card data yourself.
How do I get PCI certified?
PCI certification takes two forms: Self-assessment (i.e. do-it-yourself) or hiring a third party QSA (Qualified Security Assessor). Though there are obvious advantages to self-assessing, including effort and cost, your ability to self-assess is dependent on your annual transaction volume and is reflected in the resulting level of PCI certification (1-4) you attain.
The table on our PCI page describes the relationship between your transaction volume, required assessment approach, and level of certification:
Note: While PCI DSS outlines the requirements to become certified, there are subtle differences across payment networks (the table above was created from the Visa merchant guidelines). It is ultimately up to your merchant/acquiring bank to determine what is required for your compliance. Please be sure to check with them before beginning the compliance process.
How do I self-assess?
If you are processing less than 6 million online transactions per year it's quite likely you can self-assess. This is a good thing, but you're not out of the woods yet. Depending on your level of involvement in handling card data, you may still need to complete a lengthy questionnaire and perform an extensive internal review.
Self-assessment for online merchants usually occurs by filling out one of three self-assessment questionnaires (SAQs). Listed in increasing order of scope they are SAQ A, SAQ A-EP and SAQ D. By way of comparison, the SAQ A has fourteen questions listed while the SAQ A-EP has over one hundred across almost thirty pages. Assessing under SAQ A is, for obvious reasons, the goal of most online merchants.
So can you use the SAQ A? It depends on your technology and provider choices, both of which dictate how card data passes from the consumer, through (or around) you, and onto your gateway:
SAQ A-EP is a new questionnaire, as of PCI DSS 3.0, and its distinction from SAQ A is a subtle but important one...
SAQ A vs. SAQ A-EP
Prior to PCI DSS 3.0, online merchants that used Javascript libraries or transparent-redirect forms from PCI DSS compliant third-party service providers were able to self-assess using SAQ A. These two approaches let the merchant host the payment page, with the sensitive card data being passed directly from the user's browser to the gateway, bypassing the merchant all together.
With Version 3 of PCI, however, online merchants can no longer even host the payment page if they wish to qualify for SAQ A. In order to qualify for SAQ A you must use a payment form where all cardholder data that is hosted by and submits directly to the compliant third party. In pure browser technology terms this means that you must use an iFrame-delivered payment form where all page content is from the PSP or a hosted payment page from your payment processor.
A compliant third party reduces the attack vectors by which a malicious party is able to gain access to a user's entered credit card data. For instance, an attacker that gains access to your merchant systems can no longer compromise your payment page and siphon off card data before submitting it to the intended processor. The card payment form is protected from such intrusions by web browsers‚ cross-domain security policies which limit the ability for pages on one domain to access the content of pages on another domain.
While there are always risks of compromise for any approach, PCI DSS has determined that an iFrame or hosted payment form is less susceptible than an in-merchant form.
Proof of compliance
Once you have self-assessed using the appropriate questionnaire you will need to fill out an Attestation of Compliance, or AOC, to formally declare your PCI compliance results. If you have gone through a review led by an independent QSA, you will be issued an AOC.
In addition to the AOC, which needs to be reviewed and re-issued on an annual basis, you will need to sign up for a quarterly security scan of your systems from an outside provider. Together with the AOC, the quarterly scan verifies that you are maintaining your PCI compliance.
Summary
PCI is not for the feint of heart, but it can be managed. When evaluating your compliance, keep the following in mind:
- What level of compliance you need is determined by your merchant bank, informed by the number of annual transactions you are processing.
- Self-assessing is less costly and time consuming, but is only an option for online merchants seeking less than a PCI Level 1 certification.
- If self-assessing, using a PCI compliant service provider that provides an iFrame where all page content is from the PSP or hosted payment page results in the least compliance burden.
- An AOC, together with a quarterly scan, is your proof of PCI compliance.
Good luck out there!
- If you are a merchant that accepts payment cards, you are required to be compliant with the PCI Data Security Standards. Get more information here: https://www.pcisecuritystandards.org/merchants
- See "What types of e-commerce implementations are eligible for SAQ A-EP vs. SAQ A?" from https://www.pcisecuritystandards.org/documents/Understanding_SAQs_PCI_DSS_v3.pdf
Download the PCI Compliance eBook Below
.png)
.svg){kind=icon}
.svg)
