PCI DSS Compliance: A Guide for E-Commerce Businesses

December 9, 2019
e-commerce

The digital era has unleashed endless possibilities for launching e-commerce businesses. From independent home-based Amazon merchants to large-scale online retail operations, the barriers to entry in the e-commerce space have drastically fallen.

Moreover, it’s never been easier for consumers to buy goods and services online. Shoppers send their credit card numbers and addresses to online retailers constantly, even saving their cardholder data in their web browsers for a seamless e-commerce checkout experience.

However, what happens to cardholder data once a transaction is finished? In this guide, we’ll be discussing what being PCI compliant means for e-commerce businesses today.

With so much sensitive data, like cardholder information, flying around on the internet, it’s no wonder that there are bad actors out there stealing large swaths of cardholder data – even from massive global organizations with well-funded information security operations.

In order to combat credit card fraud resulting from sensitive data leaks like these, the Payment Card Industry Data Security Standard (PCI DSS) was created.

PCI DSS is a set of rules, set up over a decade ago by major stakeholders in the payment card sector, that all organizations that transact with payment cards must follow – including e-commerce companies.

Achieving PCI DSS compliance is an obligatory step that e-commerce companies must take if they want to accept debit or credit cards and grow their business, but it’s only a piece of the puzzle when it comes to securing their customers’ sensitive cardholder data. What happens to sensitive data after e-commerce payment processing is essential to successful PCI compliant security efforts.

Before we get into that, however, let’s go over the basics of PCI compliance and what e-commerce businesses need to do in order to achieve and maintain it.

PCI compliance for e-commerce explained

Payment Card Industry Data Security Standards (PCI DSS) are – to put it simply – rules that businesses must follow if they want to be able to accept credit cards in their payment processing system.

This data security standard is a non-optional set of requirements for all companies that collect, process, store, or send credit card and cardholder data. PCI compliant standards are in place to make sure that all organizations handling credit card information maintain a secure environment to help prevent credit card fraud.

Who is in charge of PCI e-commerce compliance?

So, who crafted this complex data security regulation in the first place?
The group responsible for designing PCI DSS is a consortium of major credit card companies called the Payment Card Industry Security Standards Council (PCI SSC). Formed back in 2006, the PCI SSC is an independent body made up of the main card networks in the US, including MasterCard, Visa, Discover, JCB, and American Express.

The PCI Council itself isn’t responsible for the enforcement of the compliance requirements. The group is, instead, charged with maintaining, evolving, and promoting the PCI compliant data security standards while also providing tools to implement them, like assessment and scanning qualifications, training and education, self-assessment questionnaires, and product certification programs.

As for ensuring that companies are PCI compliant, the individual credit card companies and acquirers are tasked with this responsibility.

It is these very consequences that make it absolutely vital that e-commerce organizations become and stay PCI compliant.

Why is e-commerce PCI compliance important??

For e-commerce companies that accept credit cards and fall within the scope of PCI DSS, non-compliance is not an option.

For one thing, being able to process credit cards is crucial for survival as a modern online business – so meeting the requirements to continue accepting these payments is often vital for revenue generation. In other words, becoming PCI compliant is basically mandatory.

But, more importantly, failing to protect your business’ cardholder data environment (CDE) increases your risk of experiencing a data breach, which can be crippling for small-to-medium-sized organizations.

From the 2.15 million credit cards leaked in an attack on restaurant chain Buca di Beppo to the October 2019 data breach reported by department store retailer Macy’s, sensitive cardholder data exposure remains a very present threat that victimizes even massive corporations with well-funded information security programs.

Not only does experiencing a data breach diminish consumer trust in your brand, but it also comes with severe financial penalties.

Failure to be PCI DSS compliant could cost you dearly, particularly if you ever have a breach of payment card or cardholder data. The penalties for non-compliance range from sizable monetary fines to getting your ability to process payment cards revoked - both of which can be detrimental for an early-stage company.

These can be just the tip of the iceberg compared to the total financial harm caused by non-compliance.

And, in the event of a data leak, the financial burden for businesses doesn’t stop at paying a fine. There are several other costly ramifications, including:

  • Paying for costly forensic audits
  • Covering additional penalties from their bank
  • Risking their bank terminating their relationship
  • Receiving a higher per-transaction rate
  • Paying for replacement cards of users affected
  • Potentially being required to move up a compliance level
  • Having to notify all impacted customers, in writing, of the data breach

The mounting costs incurred by not being PCI DSS compliant can add up quickly, and the resulting financial burden can be the death of an e-commerce startup.

That’s why it’s absolutely imperative that early-stage e-commerce businesses sort out their PCI DSS compliance as early as possible.

How do you implement PCI DSS e-commerce compliance?

Achieving PCI DSS compliance typically takes one of two paths: doing it yourself, or using a specialized vendor to help you achieve compliance.

There are some hybrid options, too. BigCommerce PCI compliance is one service of the SaaS platform that can help businesses take care of several steps related to compliance, but the responsibility for certification and liabilities in case of a breach still falls on you.

If you choose to do everything yourself, obtaining PCI compliance involves figuring out where all credit card data flows and is stored, and then following the necessary steps to ensure the security of that information.

This can include audits, penetration testing, and significant engineering work to build and maintain a compliant environment.

By using a specialized vendor to help with PCI compliance, however, you can offload 100% of the effort and liability, without compromising any functionality. Read more about this option below.

As a starting point, a business first needs to figure out which PCI DSS Compliance level their e-commerce operation requires.

What are the e-commerce PCI compliance levels requirements?

Depending on the number of transactions a company processes annually, they will need to reach a different level of PCI compliance.

Both merchants and service providers have their own compliance levels, and since we are focusing on e-commerce businesses here, we’ll focus on the merchant compliance levels.

For merchants, PCI DSS controls are divided into four levels based on the number of payment cards a merchant or service provider processes, with PCI compliance Level 1 being the most stringent of them all.

PCI Compliance Level 1

  • Merchants that process more than 6 million Visa or Mastercard transactions per year, including in-store, online, or a mixture of both
    -Any merchant that Visa determines should be a Level 1 merchant to minimize risks to the Visa system
  • All Payment Facilitators processing more than 300,000 transactions annually

PCI Compliance Level 2

  • Merchants that process 1 million to 6 million Visa transactions per year (regardless of the processing channel, e.g., in-store, online, etc.)
  • All Payment Facilitators processing less than 300,000 transactions annually

PCI Compliance Level 3

  • Any merchant that processes 20,000 to 1 million Visa e-commerce transactions per year

PCI Compliance Level 4

  • Any merchant that processes fewer than 20,000 Visa e-commerce transactions per year
  • Any merchant that processes up to 1 million Visa transactions per year (regardless of the processing channel, e.g., in-store, online, etc.)

Once you understand which level of PCI compliance your business will need to attain, you can move forward completing the necessary steps to do so.

Our checklist for PCI compliance for e-сommerce companies

In order to become fully compliant, companies’ compliance teams need to tackle a long list of tasks.

PCI DSS compliance controls are made up of these six goals, which we refer to as the six “building blocks” of the data security systems. Inside these six goals are 12 requirements:

pci-dss-requirements-vgs

Upon first glance, the list of these 12 requirements doesn’t seem too extensive – just a checklist of tasks that must be completed to achieve PCI compliance. From access control to managing a full data environment and your payment gateway, it’s easy to get overwhelmed.

In reality, however, the current version of PCI DSS (Version 3.2.1) covers a whopping 252 sub-requirements within those 12 requirements. The process of painstakingly navigating each and every one of these measures is costly and wildly time-consuming, often requiring the addition of new team members with expertise in compliance.

The steps toward achieving PCI compliance using the do-it-yourself (DIY) approach include:

  • Understanding the flow and lifecycle of cardholder data within your company, systems, and third-party vendors
  • Mapping out the scope and inventory of the relevant parts of your system, including data flows, system architecture, public networks, business process assessment, architecture assessment, etc.
  • Define who has access to cardholder data. This includes examining roles and access control for personnel and vendors that touch credit card data or the CDE, including those who have physical access to the information
  • Moving to secure any part of your system that’s exposed to cardholder data, such as the public network, then provide documentary evidence as to how you secured and maintained the security of these systems – like the - - - Self-Assessment Questionnaire (SAQ), Report on Compliance (ROC) or Attestation of Compliance (AOC)
  • Executing a vulnerability management program
  • Performing an external security audit to verify the points of access to cardholder data

Completing all the above steps using the DIY approach can take six to twelve months – or longer – for PCI Level 1.

Thankfully, there’s a way for businesses to outsource their PCI compliance burden and keep sensitive customer data off their databases – speeding up the timeline to obtaining PCI Level 1 compliance to as quickly as three weeks.

Offload your e-commerce compliance concerns

By working with a trusted information security partner, like VGS, e-commerce businesses can free themselves of their PCI compliance worries almost entirely.

VGS’ Zero Data solutions are quickly-implementable and capable of bringing your business to instant compliance for PCI Level 2 and 3 – ‘inheriting’ our advanced security posture almost immediately.

pci-dss-level-1

For Level 1 compliance, which is designated for merchants processing more than 6 million transactions per year, it only takes about three weeks (compared to 6-12 months with the DIY approach).

Using its unique data aliasing approach, VGS’ security platform redacts and replaces sensitive customer data with a synthetic data alias in real-time, ensuring the information is never at risk in its original format.

VGS users can still handle and analyze all sensitive customer data as they did before, but without having to possess it themselves on their own databases – freeing much of their systems from PCI compliance scope.

Moreover, by implementing the VGS Zero Data security platform, companies can skip most of the steps involved in embarking on the PCI compliance journey via the DIY route. Outsourcing your compliance obligations means your team members can spend their time focusing on more important goals, like continuing to develop your core business and improve your products.

Click here to get a free demo and see how data aliasing can fast-track your PCI compliance voyage.

Stefan Slattery Stefan Slattery

Product Marketing Lead

Share

You Might also be interested in...

PSD2-and-SCA-vgs

PSD2 Explained: What You Need to Know About Strong Customer Authentication

Ena Kadribasic December 17, 2019

squads-structure

Embracing the Squad: How We Structured Our Engineering Team for Growth

Julianna Lamb December 5, 2019

one-time-passwords

Beefing Up Our Identity and Access Management System (IAM) with One-Time Passwords (OTP)

Ulyana Falach December 3, 2019