PCI DSS: Do I have to be compliant?
Trust is an integral part of any eCommerce store. By showing customers you’re reliable and dependable, you’re more likely to win (and keep) their business.
This trust also extends to the credit and debit card data you manage on behalf of shoppers. By handling it responsibly and storing it securely, your customers will be more willing to buy from your store.
The Payment Card Industry Data Security Standards (PCI DSS) were created to protect this sensitive personal information. However, according to research by Statista, only 21% of people know what the standards are about, with 58% never even hearing of them.
If you’re a new eCommerce merchant or have heard of PCI DSS but want to know more, we’ve put this guide together to help you become (and stay) compliant.
- What is PCI DSS?
- Is PCI DSS the same as GDPR?
- Do I need to be PCI DSS compliant?
- Who decides which PCI DSS level I’m at?
- What are the requirements of PCI DSS?
- Are there any costs involved in meeting PCI DSS requirements?
- What happens if I’m not PCI DSS compliant?
- My payment platform handles all my cardholder data – does this mean I don’t need to worry about PCI DSS?
- How often do I need to renew my PCI DSS compliance?
- In summary: PCI DSS shouldn’t be scary
What is PCI DSS?
PCI DSS was developed in 2004 to protect sensitive cardholder data, like account numbers, security codes, and cardholder names.
Before then, the five major card brands (Visa, Mastercard, American Express, Discover, and JCB) all had their own security programs. They agreed to a unified standard to make things easier for merchants and customers.
PCI DSS is an international standard, meaning that it applies to eCommerce vendors all over the world.
Is PCI DSS the same as GDPR?
No, but the two are very similar. Both regulations are designed to protect customer data and ensure that the right security measures are in place.
The key differences are:
- GDPR applies to just the EU and UK, while PCI DSS is international
- PCI DSS focuses on cardholder data, while GDPR extends to all personal and sensitive data. For example, personal email addresses are protected under GDPR, but not PCI DSS
- PCI DSS isn’t a law, while GDPR is
Do I need to be PCI DSS compliant?
If you run an eCommerce store and process card data, you must be PCI DSS compliant. The level of compliance you need depends on how many card transactions you manage a year – this includes online and offline transactions. There are four general levels:
- Level 1: Merchants that process over 6 million card transactions a year
- Level 2: Merchants that process 1 to 6 million card transactions a year
- Level 3: Merchants that process 20,000 to 1 million card transactions a year
- Level 4: Merchants that process fewer than 20,000 transactions a year
An eCommerce store at Level 1 must comply with higher standards than one at Level 4.
For example, a Level 1 merchant may need to undergo an on-site security audit, conduct penetration testing, and provide a report detailing how they keep customer details safe. In contrast, a Level 4 merchant may only have to complete a self-assessment questionnaire, known as an SAQ.
Who decides which PCI DSS level I’m at?
This is typically determined by your payment platform or acquiring bank. By acquiring bank, we mean a bank that processes card payments on your behalf.
It’s important to remember that other factors can also play a part in the level you are on as a business. For example, if you recently were the victim of a cyberattack, you may be temporarily placed on a higher level.
Some payment platforms or acquiring banks may also have slightly different criteria in place. We always recommend speaking to them to check what these criteria are.
What are the requirements of PCI DSS?
There are 12 requirements that businesses must adhere to in order to comply with PCI DSS:
- Install and maintain a firewall configuration to protect cardholder data.
A firewall is a network security device that protects your system from unauthorised access
- Not to use vendor-supplied defaults for system passwords and security programs.
Keeping the default passwords increases the risk of cybercriminals accessing your system. Make sure all the passwords you use are unique, don’t contain personal information, and are hard to guess
- Protect stored cardholder data.
Encrypt data, only keep what you need, and have solid data retention and disposal policies in place
- Encrypt the transmission of cardholder data across open, public networks.
Encrypting cardholder data means that even if someone else intercepts it, they cannot decipher it
- Use and regularly update anti-virus software and programs.
Updated anti-virus software is the best line of defence against viruses, malware, and ransomware
- Develop and maintain secure systems and applications.
You can do this by keeping your systems and applications updated, regularly monitoring access, and carrying out risk assessments to identify vulnerabilities
- Restrict access to cardholder data on a ‘need-to-know’ basis.
Not everyone in your business will need access to cardholder data, so limit it to the relevant people
- Assign a unique ID to everyone with computer access.
This ensures everyone has access to the right level of data and data breaches can be traced to the relevant user
- Restrict physical access to cardholder data.
This includes password-protected terminals, door controls, and CCTV
- Track and monitor all access to networks and cardholder data.
This ensures accountability and allows you to track suspicious activity
- Regularly test security systems and processes.
Testing systems and procedures regularly means you can identify and fix any vulnerabilities before they become major issues
- Maintain an information security policy.
This shows staff, customers and third parties what you are doing to keep data safe
You can validate these requirements in different ways, depending on your level. Lower-level eCommerce stores can complete an SAQ, while higher-level eCommerce stores may need to be audited by an external assessor.
(Note: These standards were last updated in March 2022. You can view the current documentation on the PCI website.)
Are there any costs involved in meeting PCI DSS requirements?
It depends on what you need to do to become compliant. For example, you may need to pay for anti-virus software, staff training, or an SSL certificate for your website.
If you are on a higher level, you may also need to pay assessment fees to show your compliance.
What happens if I’m not PCI DSS compliant?
There isn’t a specific law that requires eCommerce businesses to be PCI DSS compliant.
However, if you’re responsible for a data breach and you’re found not to have complied with the standards, this can be held against you in a court of law.
Some acquiring banks may also fine businesses for non-compliance with PCI DSS standards.
While PCI DSS isn’t a legal requirement, some countries and US states may have their own laws regarding how credit card data is handled. For example, Minnesota has a law specifying that some types of payment card data can’t be retained for more than 48 hours after a transaction is complete.
My payment platform handles all my cardholder data – does this mean I don’t need to worry about PCI DSS?
Using a payment platform like Stripe or PayPal can simplify PCI DSS compliance.
However, it doesn’t mean that you don’t need to do anything else. You’re still responsible for making sure your systems, network, and third-party applications are secure.
Your payment provider may ask you to complete an SAQ to prove that you comply with PCI DSS standards before they work with you.
Think of adhering to PCI DSS compliance as an extra safeguard against cyberattacks and data breaches. The more secure your business is, the less likely you are to be affected. This means happier customers, less time spent putting things right, and a reduced risk of negative publicity.
How often do I need to renew my PCI DSS compliance?
PCI DSS compliance is always ongoing, to ensure your business and eCommerce store are as safe and secure at all times.
However, the payment platforms and acquiring banks you work with may request periodical updates. For example, your acquiring bank could ask you to submit a revised SAQ yearly or agree to quarterly vulnerability scans.
In summary: PCI DSS shouldn’t be scary
PCI DSS is one of those regulations that looks a lot scarier than it is.
The good news is that if you are a small or medium-sized merchant, most of what you need to do is common sense. Regularly check your systems, make sure all your staff have unique and distinctive passwords, and make sure you have an active SSL certificate.
Your payment provider or acquiring bank will be more than happy to offer advice and tell you what you need to do to stay compliant.
And, of course, if you need a little extra help making sure your eCommerce store and digital infrastructure are secure, get in touch for a chat with our expert team.