PCI Compliance: Top Retailer Questions Answered

What is PCI DSS?

A lot of brands and retailers are puzzled by PCI. PCI DSS, the Payment Card Industry Data Security Standard, is a set of security standards created to increase control around cardholder data to ensure merchants and sellers safely and securely accept, store, process, and transmit customer information during ecommerce transactions. The ultimate goal of PCI is to reduce, and eventually stop, credit card fraud and data breaches.

The standards apply to any company that accepts credit card payments. If you choose not to comply with the PCI security standards, you can expect a monthly fine. Additionally, most banks and credit card companies will not offer their services if you’re not in compliance with PCI DSS requirements.

There are four levels of PCI DSS compliance:

• Tier 1: More than 6 million transactions per year
• Tier 2: Transactions between 1 and 6 million every year
• Tier 3: Less than 1 million transactions every year
• Tier 4: Less than 20,000 transactions every year

As long as you never see or store cardholder data, tokenize credit card information, and you use a third-party payment gateway, you have met most of the PCI requirements. The remaining requirements are met through logging, testing, audit trials, and security policies set up by your ecommerce platform and their payment partners.

What’s the difference between PCI Compliance and PCI Certified?

It’s easier to achieve PCI compliance. To be compliant, you must complete a PCI DSS Self-Assessment Questionnaire (SAQ)—a series of yes or no questions. The type of test you take depends on how you integrate your payment gateway and how you handle cardholder data.

PCI certification involves a rigorous audit by a Qualified Security Assessor (QSA) in addition to a self-audit. QSAs are comprised of industry experts who are trained and certified by the PCI council. PCI Security Standards Council (PCI SSC) then validates the audit. The PCI SSC initially formed in 2006 by American Express, Discover, JCB International, MasterCard, and Visa. Since its formation, the standards have evolved over the years—the latest version, PCI DSS 3.2, will be released this year.

Note: Being PCI Compliant is not an end in itself, but it helps in becoming PCI Certified. The requirements for compliance compared to certification are virtually the same. The most significant differences are who verifies the requirements and the quality of documented evidence.

When asked if there’s an added benefit of being PCI certified over only compliant, Rob Jeltema, Enterprise Account Manager at PayPal, suggests, “Unless they’re truly a high-level merchant, in other words, they’re doing over six million transactions per year, compliance is satisfactory. We typically recommend certification for nationally recognized brands.” Jeltema continues, “Target had a data breach in 2013, and things like this happen all the time. But because they’re largely known, the breach was splashed all over the news.”

How do I comply with PCI DSS?

There are twelve requirements for compliance, grouped into six categories:

• Building and maintaining a secure network
• Protecting cardholder data
• Maintaining a vulnerability management program
• Implementing strong security measures
• Regularly testing and monitoring networks
• Maintaining an information security policy

The easiest way to comply with PCI DSS is by never seeing, saving, or having access to cardholder data. Leveraging a third-party payment gateway like Stripe or Braintree will protect your customers’ data without the wide requirements of PCI. Many gateways are Level 1 PCI DSS compliant. You can narrow the scope of PCI requirements by using a gateway to transmit cardholder data without using your own server, making sure your payment pages use HTTPS, and validating your site’s PCI compliance by taking the annual self-assessment.

To simplify PCI compliance for merchants, PayPal is partnering with Trustwave, an information security company. PayPal is sponsoring its merchants for this service at no extra cost to them. According to Jeltema, “There is around 330 questions on the self-assessment, but most of them are not applicable to every merchant. The new service with Trustwave will identify which form the merchant needs to fill out and will pre-fill some of the questions for the merchant.” In addition to streamlining the questionnaire, PayPal’s merchants will be able to check their compliance status and will have access to PCI experts via toll-free number for any related questions. All of this will be on the PayPal site, eliminating the need for companies to log into Trustwave.

How do I maintain PCI DSS compliance?

PCI compliance is not a one-and-done type of deal. To maintain your PCI compliance, you’ll need to perform the Self-Assessment Questionnaire every 12 months. Keep in mind, just because you’re PCI compliant today, doesn’t mean you will be six months from now.

One of the requirements for PCI compliance is to “regularly test security systems and processes.” This includes running internal and external network vulnerability scans once a quarter and they need to be run by an Approved Scanning Vendor if you wish to maintain your PCI certification.

PayPal works with its merchants continuously to ensure they remain PCI compliant. The payment gateway is a level 1 service provider, which means it has quarterly on-site meetings with its merchants, quarterly security scans, and annual assessments. Jeltema says PayPal also holds compliance training for every single employee to make sure everything is secure in a technical and operational sense.

Are ecommerce platforms (Salesforce, Magento, etc.) PCI DSS compliant?

Since ecommerce platforms are software, they cannot be PCI compliant. However, most are compatible with PCI compliance—including Salesforce Commerce Cloud and Magento Enterprise Cloud. This means they support payment platforms that are either PCI certified or compliant.

Magento offers two solutions to streamline the PCI audit process: Tokenization and Abstracted Payment Methods. Payment service providers, such as PayPal and Braintree, allow merchants to keep key transactional PII (personal identifiable information) as hosted by the payment vendors themselves. This allows you to mitigate many of the compliance items of a PCI audit. Secondly, either via one of the certified hosting partners or using Magento Enterprise Cloud Edition, the hosting facilities themselves maintain PCI certification for the hosting and cardholder data access aspects of the audit.

Are ecommerce agencies PCI DSS certified?

While security is becoming an ever more material threat, few digital agencies have received an Attestation of Compliance (AOC)—a document that attests to the results of a PCI DSS assessment.

After several brands came to Blue Acorn iCi to resolve significant security breaches, we invested resources to solidify processes that impact the security of cardholder data and make PCI compliance easier for our clients. It’s part of our goal to become the most security-literate systems integrator for Magento and Salesforce Commerce Cloud.

Additionally, Blue Acorn iCi can serve as your brand’s Merchant of Record (MOR) and Seller of Record (SOR). This means we bear the risks and fiduciary burden of fraud, penalties, and chargebacks for you. We manage the payment processing function, check for fraud, and fulfill PCI requirements. Our Payments and Security team marries their professional expertise with best-in-class technologies—CyberSource, Avalara, Signifyd, and Worldpay—to protect your commerce site and customers.

If you’re a merchant interested in learning more about this process, we encourage you to reach out.