Nothing strikes fear in the heart of online merchants quite like PCI DSS – the set of “technical and operational requirements designed to protect cardholder data” put forth by the credit card networks (Visa, MasterCard, etc…). If you accept credit cards online, even if you’re not storing or processing those cards yourself, you need to be aware of its requirements and prepared to invest some time into compliance.
The upgrade from v2.0 to PCI DSS 3.0 introduced some important changes, making now a good time to review your steps to compliance as well as highlight what’s changed. (In February 2017, the PCI Security Standards Council released an update to its best practices guidelines for securing e-commerce and PCI compliance, which you can read about here.)
Do I have to get PCI certified?
If you accept credit cards from your customers then, yes.
Many gateways and online payment processing solutions will claim their drop-in credit card widgets exclude you from PCI compliance or make you PCI compliant. This is not true. Even if a third party is handling the collection, processing, and storage of protected cardholder data, you must still go through the PCI assessment process. What these type of solutions do, including Spreedly’s, is reduce your compliance burden. You still have to certify, but can often do so with much less effort than if you were processing and storing the card data yourself.
How do I get PCI certified?
PCI certification takes two forms: Self-assessment (i.e. do-it-yourself) or hiring a third party QSA (Qualified Security Assessor). Though there are obvious advantages to self-assessing, including effort and cost, your ability to self-asses is dependent on your annual transaction volume and is reflected in the resulting level of PCI certification (1-4) you attain.
The following table describes the relationship between your transaction volume, required assessment approach, and level of certification:
|If you have…||then you can…||to achieve|
|less than 20,000 online transactions per year||self-assess||PCI Level 4 certification|
|between 20,000 and 1 million online transactions per year||self-assess||PCI Level 3 certification|
|between 1 million and 6 million online transactions per year||self-assess||PCI Level 2 certification|
|over 6 million online transactions per year||hire an independent assessor (QSA)||PCI Level 1 certification|
Note: While PCI DSS outlines the requirements to become certified, there are subtle differences across payment networks (the table above was created from the Visa merchant guidelines). It is ultimately up to your merchant/acquiring bank to determine what is required for your compliance. Please be sure to check with them before beginning the compliance process.
How do I self-assess?
If you are processing less than 6 million online transactions per year it’s quite likely you can self-assess. This is a good thing, but you’re not out of the woods yet. Depending on your level of involvement in handling card data, you may still need to complete a lengthy questionnaire and perform an extensive internal review.
Self-assessment for online merchants usually occurs by filling out one of three self-assessment questionnaires (SAQs). Listed in increasing order of scope they are SAQ A, SAQ A-EP and SAQ D. By way of comparison, the SAQ A has fourteen questions listed while the SAQ A-EP has over one hundred across almost thirty pages. Assessing under SAQ A is, for obvious reasons, the goal of most online merchants.
So can you use the SAQ A? It depends on your technology and provider choices, both of which dictate how card data passes from the consumer, through (or around) you, and onto your gateway:
|If your systems…||then use|
|do not touch, process or store cardholder data, and do not serve any card collection forms||SAQ A|
|do not touch, process or store cardholder data, but do serve card collection forms||SAQ A-EP|
|do touch, process or store cardholder data||SAQ D|
SAQ A-EP is a new questionnaire, as of PCI DSS 3.0, and its distinction from SAQ A is a subtle but important one…
SAQ A vs. SAQ A-EP
With Version 3 of PCI, however, online merchants can no longer even host the payment page if they wish to qualify for SAQ A. In order to qualify for SAQ A you must use a payment form that is hosted by and submits directly to the compliant third party. In pure browser technology terms this means that you must use an iFrame-delivered payment form or a hosted payment page from your payment processor.
Having a payment form that is served by and submitted to a compliant third party reduces the attack vectors by which a malicious party is able to gain access to a user’s entered credit card data. For instance, an attacker that gains access to your merchant systems can no longer compromise your payment page and siphon off card data before submitting it to the intended processor. The card payment form is protected from such intrusions by web browsers’ cross-domain security policies which limit the ability for pages on one domain to access the content of pages on another domain.
While there are always risks of compromise for any approach, PCI DSS has determined that an iFrame or hosted payment form is less susceptible than an in-merchant form.
Spreedly customers wishing to switch to an iFrame-based payment form can contact us to take part in our iFrame beta program.
Proof of compliance
Once you have self-assessed using the appropriate questionnaire you will need to fill out an attestation of compliance, or AOC, to formally declare your PCI compliance results. If you have gone through a review led by an independent QSA, you will be issued an AOC.
In addition to the AOC, which needs to be reviewed and re-issued on an annual basis, you will need to sign up for a quarterly security scan of your systems from an outside provider. Together with the AOC, the quarterly scan verifies that you are maintaining your PCI compliance. An example of both the AOC and scan can be found on Spreedly’s PCI page.
PCI is not for the feint of heart, but it can be managed. When evaluating your compliance, keep the following in mind:
- What level of compliance you need is determined by your merchant bank, informed by the number of annual transactions you are processing.
- Self-assessing is less costly and time consuming, but is only an option for online merchants seeking less than a PCI Level 1 certification.
- If self-assessing, using a PCI compliant service provider that provides an iFrame or hosted payment page results in the least compliance burden.
- An AOC, together with a quarterly scan, is your proof of PCI compliance.
Good luck out there!
-  “If you are a merchant that accepts payment cards, you are required to be compliant with the PCI Data Security Standard” from https://www.pcisecuritystandards.org/merchants/how_to_be_compliant.php
-  See “What types of e-commerce implementations are eligible for SAQ A-EP vs. SAQ A?” from https://www.pcisecuritystandards.org/documents/Understanding_SAQs_PCI_DSS_v3.pdf