Did you know that 27 percent of consumers don’t shop online due to fears their personal information might be stolen? Or that 65 percent of consumers who have had information compromised due to online shopping will no longer shop online or return to the site their information was compromised? These alarming statistics are based on a survey conducted by SiteLock in Q4 2017, in which 1,017 consumers were asked to assess their views on online shopping. These survey results illustrate that consumers are reluctant to shop online out of concern their personal information is not being protected from eCommerce stores.

As an eCommerce owner, are you doing enough to address and overcome your customers’ fears? If not, don’t worry – we’ll explain how you can protect your customers by using PCI compliance. We’ll also make sure you understand the ins and outs of PCI compliance, the steps to get started, and the penalties for not meeting PCI standards.

What is the definition of PCI Compliance?

The term ‘PCI Compliance’ is short for Payment Card Industry (PCI) Data Security Standard (DSS). It is also referenced as PCI DSS.

PCI Compliance was established in 2006 to help protect businesses from credit card fraud. It was established by five of the largest major payment brands (Visa, Mastercard, American Express, Discover and JCB) in an effort to increase control over where cardholder data is stored, processed or transmitted for websites that take payment online.

What does PCI Compliance mean in simple terms?

In short, PCI compliance is a set of security standards used to help protect consumers’ credit card data whenever they make a purchase online.

Who Needs to be PCI Compliant?

Any individual or business that stores, processes or transmits payment card information needs to be PCI compliant. This includes small businesses, companies that only take payments over the phone, and even companies that use a third-party payment processing system, like PayPal. We’ll help answer your questions related to this criteria below. 

Is PCI Compliance required by law?

While PCI compliance is not a federal law in the United States, it is strongly enforced by the major card brands listed above. It applies to all individuals, businesses or organizations that accept, transmit or store cardholder data.

Becoming PCI compliant can be a very time consuming and complicated process. In addition, maintaining compliance can be even more challenging. There are quarterly and annual assessments organizations need to complete on an ongoing basis to maintain compliance. However, 80% of companies fail their interim PCI compliance assessment, which is the assessment organizations need to perform in between their annual assessments. This is primarily due to the extensive questionnaire individuals need to complete to get started, as well as the ongoing validation process. As a result, many businesses that should be PCI compliant are not. Those who do not to follow PCI DSS requirements might be subject to very expensive fines that could result in bankruptcy.

What happens if I don’t become PCI compliant?

If you don’t comply with PCI DSS, you may be subject to penalties and hefty fines. The five payment brands will fine banks between $5,000 and $100,000 per month until PCI compliance standards are met. More often than not, the fined bank will pass this fine to the merchant, terminate your relationship with the bank, or increase the fee. Fees this large can be devastating to a small business and might even result in the website owner going out of business.

How is cardholder data defined?

According to the PCI Security Standards Council (CSS), cardholder data consists of the full primary account number (PAN), plus any of the following: cardholder name, expiration date and/or security code. The security code is the three or four digit number on the back of the credit card.

What if I operate a small business and only accept a few credit card payments a year?

Regardless of whether you are a small, one-person business or a large enterprise, if you accept, store and transmit cardholder data, then you need to be PCI compliant. The same holds true for whether you collect $20 in payment per year or $20,000,000 –  meeting PCI compliance standards is a must.

Additionally, don’t assume you are too small to be hacked. In fact, 50 percent of all small businesses have experienced a breach.

Are eCommerce websites the only ones that need to be PCI Compliant?

While it’s true that eCommerce stores need to be PCI compliant, they are not the only businesses that need to comply with PCI standards. PCI DSS applies to any and all websites that store, processes or transmit cardholder information. Even if you do not “sell” anything online, your business might still be required to follow PCI DSS requirements. For example, in order to start a free trial with Netflix, individuals are required input their payment information as part of the trial process. While the customer is not being charged during the free trial period, Netflix is storing their payment information, and therefore needs to protect that data via PCI compliance. Another example is a doctor’s office that allows their patients to pay for their visit online through a payment portal. Although these doctors aren’t necessarily “selling” anything online to their patients, they are still expected to protect their patients’ financial information.

If I only accept credit cards over the phone, do I need to be PCI Compliant?

 Regardless of if you store information via your website database or elsewhere, all business that store, process or transmit payment data must meet PCI standards.

If I outsource my credit card processing, do I need to be PCI Compliant?

If you use third-party processors, like PayPal, to collect credit card information, then you still need to comply with PCI DSS standards. For example, if your business receives charge-back and refund information, it is important to make sure this information is being protected. 

If my hosting provider is PCI compliant, does that make me PCI compliant?

In short, the answer is no. As an eCommerce or website owner, you are ultimately responsible for the security of your website, which includes meeting PCI compliance standards. Your host does not automatically provide you PCI Compliance. In fact, most shared hosting environments are not PCI Compliant.

The average website experiences 63 attacks per day on average. With this in mind, it is important to understand the differences between the security your web host offers versus the security you’re responsible for. Your web host ensures that your website is being hosted in a secure server; however they are not responsible for protecting your website from cyber threats, or ensuring you are PCI compliant.

 How do I get started with the PCI Compliance process?

First you will start by identifying the self-assessment questionnaire you are required to complete. The self-assessment you complete will depend on your business and how you accept payment online. For example, eCommerce merchants who outsource payment processing will complete a different questionnaire than merchants who take payment over the phone.

What do I do after I identify the correct PCI DSS Self-Assessment Questionnaire?

Once you’ve identified the correct self-assessment questionnaire, it is time to complete your questionnaire. It’s important to keep in mind that the questionnaire is 280 questions and may take several hours to complete. However, there are companies that specialize in making the PCI Compliance questionnaire process as easy as possible by providing a simplified questionnaire. These companies will use logic to pre-populate responses for you by section, which may save you a significant amount of time. In fact, depending on the type of questionnaire you’re completing and the company you’re getting help from, you may only need to answer 20 percent of the 280 questions.

Additionally, the application asks a series of business process, policy, and technical questions about your existing credit card security practices. If you need to make changes to your existing policies or need new policies, some security companies will customize a policy for you that you can download instantly.

What do I do after I complete the Self-Assessment Questionnaire?

Once you complete the questionnaire, then an initial and quarterly vulnerability scan by an approved PCI SSC scanning vendor may be required to maintain compliance. This vulnerability scan will check for any potential security weaknesses in your website and hosting server configuration.  As we mentioned prior, 80% of companies fail their interim PCI compliance assessment, which is the assessment organizations need to perform in between their annual assessments. This confirms the importance of the vulnerability scan to help companies achieve and maintain compliance.

According to pcicomplianceguide.org, if you qualify for any of the following SAQs under version 3.x of the PCI DSS, then you are required to pass a vulnerability scan:

  • SAQ A-EP
  • SAQ B-IP
  • SAQ C
  • SAQ D-Merchant
  • SAQ D-Service Provider 

What is a vulnerability scan?

A vulnerability scan, also referred to as a website scan, is designed to complete a comprehensive scan of your website to identify vulnerabilities. A website vulnerability is a weakness or misconfiguration in a website or web application code that allows a cybercriminal to gain some level of control of your site. When vulnerabilities are exploited, cybercriminals can infect the website with malware. Malware, short for malicious software, can be used to harm your website and your website visitors, like steal your customers’ information or unknowingly redirect them to a malicious website.

How often do I need a vulnerability scan to meet PCI compliance standards?

If you are required to complete a vulnerability scan, then you will need to make sure you complete a scan every 90 days, or once per quarter. For the sake of convenience, it’s recommended you work with a company that can both help you complete your questionnaire and scan your website each quarter to ensure you are regularly complying with all standards.

As an additional security best practice, it’s best to scan your website on a daily basis to help identify vulnerabilities and malware as soon as they hit your website. This way, you never have to worry about whether or not you’re going to meet compliance standards each quarter. This will also ensure your website, visitors, and visitors’ payment information is protected from malicious cyber activity each and every day.

Fortunately for eCommerce owners, the consumer shopping survey conducted by SiteLock, referenced in the beginning of this article, found that 52 percent of respondents believe a secure payment network gives them more confident to shop online. This customer confidence can be achieved through the use of PCI compliance.

As an eCommerce website owner, it is your responsibility to ensure a safe shopping experience for your customers. SiteLock can help you become PCI Compliant fast by providing a simplified self-assessment questionnaire. Not only that, but your website can be scanned for vulnerabilities the very same day. Call the SiteLock security experts today at 855-378-6200.