Is your eCommerce portal PCI DSS Compliant?

What is PCI DSS and what it means when one talk about PCI compliance???

Payment Card Industry’s Data Security Standard (PCI DSS) for eCommerce companies are  the set of requirements that will help companies to enhance the data security of payment account that will create a systematic way for the merchants to secure the cardholders’ data. It was developed by PCI Security Standards Council that includes MasterCard Worldwide, American Express, JCB International, Visa Inc., and Discover Financial Services to facilitate the adoption of data security measures in global basis. This standard also includes the requirements related to security management, its policies and procedures, software design, network architecture and other protective measures to help organizations in protecting their customers’ account data.

The PCI Security Standards Council offers guidance to software vendors to help them develop a secure payment application based on a list of Validated Payment Applications.

Why is PCI compliance important?

In eCommerce online stores  where electronic transactions take place using the Internet, credit card numbers are vulnerable to cyber theft.

Generally credit card numbers are encrypted based on the PCI Standards, in this type of data security model the actual numbers are substituted by surrogate values or tokens. If these numbers are not encrypted, they can be sniffed by certain computer programs called the sniffer programs, which is generated by a cyber criminal in the cyberspace. When the program recognizes a credit card number format it copies the number. These programs can steal credit card numbers from any application or database. Thus any company that accepts, process or store credit card numbers will have to comply with PCI DSS. This includes all e-merchants from small Internet stores to large retail corporations, who accept credit cards, both online and offline. The total number of credit card transactions that a merchant performs annually is used to determine the compliance requirements to be met.

PCI compliance requirements are not same for large, small or medium sized businesses. It depends upon the annual transaction volume. Based on this the merchants have been classified depending on the following Levels based on Visa’s definitions:

  • Level 1: Includes merchants who process over 6 million Visa transactions annually.
  • Level 2: Includes merchants who process around 1 million to 6 million Visa transactions annually.
  • Level 3: Includes merchants who process 20,000 to 1 million eCommerce Visa transactions annually.
  • Level 4: Includes merchants who process less than 20,000 eCommerce Visa transactions annually. Apart from this, all the merchants who less than 1 million Visa transactions annually come under Level 4.

Regulatory Considerations for eCommerce Website Owners

There are some general guidelines and regulations we need to be aware of while starting and running an eCommerce Website.  For example In the United States, the Federal Trade Commission (FTC) is the primary agency that regulates eCommerce activities. Most important of the regulatory compliance for eCommerce portals is PCI compliance and secure information transfer between browsers and web network i.e. SSL certification.

For Secure information transfer: You would need to buy a SSL certification from VeriSign (Now part of Symantec) to enable HTTPS transfer of data and info from the browser.

For PCI compliance: If you do not store any customer Credit card information on your eCommerce website/servers and have SSL certification, by default your portal becomes PCI compliant.

The requirements that merchants should fulfill to comply

Compliance requirements are set based on individual card brands. Here we have focused on Visa compliance requirements for different levels:

  • Level 1: In this case merchants will have to complete the Annual Report on Compliance (ROC) by a Qualified Security Assessor (QSA). They will have to complete a quarterly network scan by Approved Scan Vendor (ASV), and will also have to file an Attestation of the Compliance Form.
  • Level 2 and Level 3: Merchants will have to complete Annual Self-Assessment Questionnaire (SAQ) and quarterly network scan by an ASV and also file an Attestation of Compliance Form.
  • Level 4: Merchants should complete annual SAQ and ask ASV to perform a quarterly network scan, it is optional.

Risks associated with Non-Compliance

PCI DSS helps merchants to preserve their reputations, protect their brand, and avoid credit card breach. Merchants who do not comply will have to face penalties by the credit card companies, which ranges from fines to termination of their right to accept credit cards.

It is better to have a secure connection between the customers’ browser and the web server, and to validate that your eCommerce website operators are rightful and legally responsible.

We suggest you get a service like McAfee PCI Certification Service which helps you to regularly complete your self-assessment questionnaire (SAQ), review quarterly vulnerability scans, launch on-demand scans to retest as needed, and even generate the necessary PCI compliance reports and documentation.

Follow the PCI DSS requirements, and make your customers feel secured...

[We are Connecting Dots, a full service eCommerce solutions company. At Connecting Dots, we help companies build great online businesses, we are Magento implementation partners and build great eCommerce portals]