eCommerce Basics: What is PCI Compliance?

Website being checked for PCI compliance

In 2004, the card schemes including Mastercard and Visa introduced PCI DSS. Everyone that accepts card payments must comply with PCI DSS rules as they help protect your business and your customers’ sensitive information from cybercrime.

What is PCI compliance?

PCI Compliance refers to data security standards set out by the Payment Card Industry Data Security Standard (PCI DSS). These standards are in place to ensure that your customer’s card data is handled safely and securely and reduces the change of it being stolen or misused by efraudsters. PCI DSS is required by the card schemes, who will put your business into one of four levels of risk, based on the number of transactions you process annually.

What are the levels of PCI compliance?

The four levels of PCI compliance for merchants are based on how many transactions you process and are as follows:

  • Level 1: Over 6 million card transactions annually.
  • Level 2: 1 to 6 million transactions annually.
  • Level 3: 20,000 to 1 million transactions annually.
  • Level 4: 20,000 or less transactions annually.

Depending on your level, the way in which you approach PCI compliance can vary.

What is a Network Vulnerability Scan?

A network vulnerability scan will check your website and payment processing system for vulnerabilities, such as malware and viruses. The scan will also inspect every IP address that is reachable by the public from your website.

You will need to update it any time you make a significant change to your network configuration. If you’ve just updated your firewalls, installed new hardware or fixed previous vulnerabilities, a new scan is probably in order.

What is a Self-Assessment Questionnaire (SAQ)?

Self-Assessment Questionnaires (SAQs) are validation tools that are intended to assist you in self-evaluating your compliance with the PCI DSS. As an eCommerce merchant, you will need to complete one of the following assessments:

  • SAQ A: Merchants that outsource all their card data processing to PCI DSS compliant third parties.
  • SAQ A-EP: eCommerce merchants that outsource their payment processing and have a website that doesn’t directly receive cardholder data but can impact the security of the payment transaction.
  • SAQ D: For merchants not included in the SAQ types above.

If you are a level 1 merchant, the assessment should consist of an external audit performed by a Qualified Security Assessor (QSA) or an Internal Security Assessor (ISA). They will perform an evaluation of your business to determine whether the PCI DSS’s requirements are being met.

Your questionnaire will need to be updated on an annual basis or you will be charged with a PCI non-compliance fee.

What is required for PCI compliance?

Under PCI DSS requirements, any company that processes, stores or transmits card information must maintain a secure environment. PCI DSS consists of six main goals, each consisting of a number of requirements.

GoalsPCI DSS Requirements
Build and Maintain a Secure Network1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy12. Maintain a policy that addresses information security for employees and contractors

What happens if you’re not PCI compliant?

If a data breach occurs and your business is not PCI compliant, you could be faced with serious fines ranging from £4,000 to £80,000 by your payment provider.

Some payment providers will have tools and processes in place to protect you from non-compliance issues. Pixxles has an in-house Compliance team that will perform a Website Compliance Review to make sure you are compliant with any relevant Card Scheme regulations. We’ll help you fix anything we think might cause problems before you even begin accepting payments with Pixxles. We’ll also check your site regularly afterwards to help keep you off the compliance naughty step.

By making sure you’re compliant, your customer data will be safer, their trust will be intact and you won’t find yourself waking up to any eye-watering fees.

Want to know more?

For more tips on growing your ecommerce business, search #PixxlesPowerUps. Watch our ecommerce video guides here or visit our resources page to read more helpful blogs.