August 23, 2022
by David Goodale
How to avoid credit card data and make PCI compliance easier
(Slightly edited from video transcript for greater readability)
If you have an e-commerce business or any other business, it is very important not to touch credit card data without the necessary systems in place to handle it securely. For many businesses, it's better to avoid the problem entirely. Stay tuned, I'm going to explain in one second, exactly how to do that.
Handling customer credit card data
In an e-commerce situation, your website is where your customer interacts with your business, and at some point, they are going to need to type in their credit card number to complete a transaction. What you may not be aware of is with modern coding and programming techniques, it is possible to make it so that the credit card number never touches your server.
You can make it so you never touch the credit card number, not even for one second. This all comes back to PCI compliance. We have other PCI related content on our channel and the Merchant-Accounts.ca website. The short version is if you're a human being on planet earth and you accept credit cards, you must be PCI compliant.
PCI compliance consists of two components:
- A self-assessment questionnaire, which is a security questionnaire that the business has to complete about its security policies, and
- A security scan, which is a friendly hack of your web server by a Visa or a MasterCard approved scanning vendor, where they try to find any exploits on your server.
If they find any exploits, they will tell you so that you can fix them. What you want to do in this situation is avoid as much of that work as possible and eliminate the liability of having card data.
Off-site hand-off of card data to the payment processor
During a checkout process the customer adds to the cart, then they type in there their billing address and their shipping address. At this point they still haven't yet typed in their credit card information. Then there's a continue button and the user presses continue and they go offsite. They're redirected from your website to the payment processor's website.
A great example of this would be the classic from years ago, PayPal checkout where the customer would redirect onto PayPal because it was PayPal that collected the card data, this fell under PayPal's PCI scope, and the same concept applies today.
That checkout process is good because you get away from the card data and it's possible to do that and also customize it. Although the domain name changes and the address bar of the web browser, the customer can't tell that they've left your website because you can customize the look and feel of the landing page.
Avoid card data
With modern coding practices that I can't explain in too much detail because of technicalities, it is possible to do things like inline elements, where that element comes from a third-party website. You don't even control it; the information doesn't ever actually touch your website. It looks like they're on your website, but the customer's not. I don't intend for this to be a technical video. Instead, what I'm encouraging administrators and business owners here is, when you're talking to developers, give them an instruction that says when we do our e-commerce checkout flow, I don't want to touch card data.
Rely on your service provider to collect card data (reduce your PCI footprint)
What you should look to do is rely on a service provider that can collect the card data for you. This will allow you to qualify for a greatly simplified version of the self-assessment questionnaire. If the checkout happens completely off your website you qualify for SAQ A. If it's on your website but all of the fields collecting the card data are hosted remotely (not actually on your page and that part of the page or elements of the page are hosted remotely) then you would qualify for SAQ A-EP, which is more complex than SAQ A but still much easier than the full standard PCI questionnaire.
If you rely on your service provider to interact with and collect the credit card data it ultimately makes it far easier to achieve and maintain PCI compliance.
This was meant to be a high-level concept, best practice video. If you are a smaller to mid-size merchant, it is best to push card data out of your system. If you're a larger merchant or a technically sophisticated merchant, there's nothing wrong with storing card data and touching card data, as long as you do it according to the PCI standard. Thanks for watching. If you have any questions about this, reach out to us at Merchant-Accounts.ca. Thanks for watching and have a nice day. Bye now.
Need professional guidance?
Contact us for a free one hour consultation.
Can I Help Lower Your Processing Fees?
If you found this content helpful, will you give me the opportunity to quote on your business?