Do you need to be PCI compliant if you’re selling online?
That’s a question we hear a lot. And the answer depends on a few factors.
First of all…
Do you sell by credit (or debit) cards in your online business?
If so, then yes. You need to be PCI compliant. Always.
But that could mean something different for various merchants.
But first…
What is PCI? Or PCI SSC or PCI DSS?
According to wikipedia:
“On September 7, 2006, American Express, Discover Financial Services, Japan Credit Bureau, MasterCard Worldwide and Visa International formed the Payment Card Industry Security Standards Council (PCI SSC) security council with the goal of managing the ongoing evolution of the Payment Card Industry Data Security Standard. The council itself claims to be independent of the various card vendors that make up the council.”
Or according to the official website of PCI Security Standards Council:
“The mission of the PCI Security Standards Council is to enhance payment account security by creating and maintaining PCI Security Standards, as well fostering the education and awareness of these security standards.”
How to learn if you need to do something to be PCI compliant?
It depends on your business model, how you process payments, how many transactions you have etc.
I would suggest answering a couple of questions first:
- Do you sell online by credit cards? If no – you don’t need to worry about PCI DSS. If yes – look at step 2.
- How do you process your payments? Do you redirect your customers to a dedicated payment form of your PSP? Then – in most cases – you don’t need to worry about PCI DSS. Or maybe you accept payments on your website (via API)?
- What does your integration with the PSP look like? Do you use something like PayLane.js? Becoming PCI compliant will be much, much easier then (because you don’t handle the credit card details at any point). Or maybe you handle the credit card details? If so – what do you do with these credit card details? Transmit them to the PSP? Store them? Process them?
What are the requirements that have to be met to be in compliance with the PCI DSS?
According to official website of PCI Security Standards Council:
“The PCI Data Security Standard is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. The PCI Data Security Standard is comprised of 12 general requirements designed to: Build and maintain a secure network; Protect cardholder data; Ensure the maintenance of vulnerability management programs; Implement strong access control measures; Regularly monitor and test networks; and Ensure the maintenance of information security policies.”
In fact that could means two things:
- SAQ (the PCI DSS self-assessment questionnaires)
- The whole procedure with audits, reports, certifications etc
For most online businesses SAQ’s enough. That’s a simple questionnaire that you will need to complete and share with your PSP or an acquiring bank. It includes a series of yes-or-no questions about your security standards and practices. There are multiple versions of the SAQ (such as SAQ A, SAQ A-EP, SAQ B, SAQ D etc) to meet various scenarios, depending on how your organization stores, processes, or transmits cardholder data.
If you’re a merchant and you don’t do anything with the credit cards (e.g. don’t store them) – it won’t be difficult to be in compliance with the PCI DSS. But because it’s often not so obvious what you need to do to become a PCI compliant merchant (and because sometimes PCI requirements of PSPs/acquirers for the merchants may differ) – I highly recommend to consult your PSP or the acquirer directly to determine if you’re eligible or required to submit a SAQ, and if so, which SAQ is appropriate for your environment.
Need a help? Any questions? Contact us.
