Home > News and Blog

June 21, 2023
by David Goodale

A discussion about PCI compliance for e-commerce businesses

(Slightly edited from video transcript for greater readability)

David Goodale:

Hello, David here at Merchant-Accounts.ca with another episode of the podcast. I've been intimidated to do a podcast episode on PCI compliance because it's so complicated, like overwhelmingly complicated. Maybe that's just my perception of it and maybe I'm not correct. Today I'm talking to Robert Spivak of Control Gap. Robert's an expert on PCI compliance and he's going to shed some light on this mystery for us. Robert, thanks for joining.

Robert Spivak:

My pleasure.

David Goodale:

I'm going to start by recapping what PCI compliance means. It's the Payment Card Industry data security standard. Robert, it's made up of a questionnaire, and a security scan. There's more than one version of the questionnaire. The one that you fill out depends on whether you're touching or storing credit card data. I will probably get more into that later. I want to start with this point. The technical questions, even on the easier questionnaires can be pretty hard. Is it possible for small businesses to become PCI compliant?

Robert Spivak:

Absolutely. Everyone needs to comply with PCI and you can become compliant. It's a matter of understanding how your business takes credit cards and debit cards. Now because many debit cards are actually in scope for PCI, I find that many organizations we work with, look for a quick way to get certain things done. Sometimes that can be beneficial, but it's really important to be able to understand how you take credit cards. Where do you store them if you do it all? What are the other companies that you share that information with, including the bank that you send those transactions to?

David Goodale:

Interesting. I know that it's overwhelming. Here's what I do know. The easiest version, and by the way, correct me when I'm wrong because I'll probably be wrong about 50 times during this discussion, *laugh*, but self-assessment questionnaire A is the easiest version of the questionnaire. I always tell merchants, if possible, it's best to just not touch card data yourself and rely on a third party to do that. I don't know if you agree with that and I want to know what your thoughts are on that.

Robert Spivak:

Certainly, that's a great question and I will correct you a little bit on that. SAQ A specifically deals with e-commerce merchants and is the easiest one to complete if you're doing a hosted website or you're doing only online payments. Believe it or not, the easiest SAQ out of all of them to do, and there are about eight of them or so, is the P2 PE, which is a standalone or connected terminal that does point-to-point encryption to their bank. Again, depending on your merchant, depending on who, and the way you take credit cards, if you have an actual pin pad, you should be looking for a P2 PE certified pin pad. Back to your question about web hosting PCI is many things to many entities, whether you are focused on specifically taking payments in person or taking them online, the key is understanding your payment ecosystem. Where do my transactions go? Who touches those transactions? Understanding that will determine the methods that you're going to use to take that credit card data, and the various security controls that you have to have in place to ensure that you're protecting that data.

Robert Spivak:

Now you mentioned earlier about a scan and again that talks about e-commerce. A preventative measure, if you will, for example, in the e-commerce world, is to do a web scan or a vulnerability scan to ensure your website is protecting that credit card data the correct way. In addition to that, a penetration test takes that scan to the next level to show the things that are being identified as exploitable.

David Goodale:

I like that scan, just to jump in with a comment there, like that scan to me is a best practice too. It's doesn't just protect credit cards. It's like you don't, you also don't want your website to be hacked. There are lots of reasons for the security scan. I want to focus on small and mid-size e-commerce businesses for a second specifically on this question. That SAQ A, am I correct that you don't need to do the security scan like you just get to bypass it If you, if you're not touching the cards, if you're kind of redirecting to another website, you get to just skip that step?

Robert Spivak:

Well, for e-commerce merchants, one of the key things is there are two specific SAQs that you can be involved with. The SAQ A is the lighter version if you want to call it that. SAQ A-EP is the heavier one. It's all about how you accept credit cards. Because let's face it, if you're an e-commerce provider, you are taking credit cards. It's about how you take it, and how you handle that data when it's on your website. I'm going to talk about the more complex one and it hopefully will shed light on how you ensure that you align to SAQ A and then SAQ A-EP, the situation is you have a website, and you are collecting that information. In other words, you're downloading something to your consumer's browser that is collecting the information, it's bringing it back to your website, and then from there you're manipulating it potentially and sending it to a bank to process and authorize for whatever goods or services you're providing.

Robert Spivak:

In that case, the SAQ AP is about 150 or so requirements that you have to adhere to. It can be very difficult to do if you're not prepared to commit the time, resources, and energy to make that happen. Even if you outsource it to a third party and you still are configured that way, you're still required to do the SAQ A-EP. Now if you take the time to look at how your website is architected and you implement something that's called an iframe or a fully redirected website, what that means is that when you download your page to the browser, there is a piece of that page that says go to this other website and download the payment function from that website. Or when I click on pay now, it sends me to a different website that is completely outside of my web server.

Robert Spivak:

In that particular case, you're never seeing the credit cards within your environment. However, you're collecting that information or the other vendors collecting that information and it's transparent to the end consumer, they wouldn't be any wiser knowing that it's coming from another website. In that particular case with a couple of other requirements for eligibility, you can complete an SAQ A and in that case, you only have about 28 requirements, and with the current version of PCI 3 21, you are not required to do the ASV scanning or vulnerability scanning. To your point earlier, as a security best practice, and that's really what it's about, is ensuring that you are secure, you should be doing it anyway. The difference is in PCI we're not measuring whether you're doing it or not, but the expectation is that you want to be secure, so you should be doing it.

David Goodale:

Sorry Robert, you just made me think of a point, this is a good time to make a small point. PCI is kind of because you just kind of said this, why it's self-policed, it's to a degree, it's like why you're responsible for doing this yourself. Nobody is looking over your shoulder, but you have to be compliant to do it. Is that correct?

Robert Spivak:

When it comes to self-assessment, that is exactly what you're saying I am saying I'm signing off on this document that I am doing the things that I am committing to in the SAQ and that means that I'm protecting the data that I'm using. PCI compliance service providers, you're testing it. It is a legally binding document. That's why many organizations will engage a QSA company to help them to fill it out and countersign with them so that they could feel comfortable that not only did they answer the questions correctly, that they know what they're talking about, and that they scoped their environment correctly that they haven't missed anything. Having that resource, that expert in PCI to help you be a qualified security assessor, they can interpret the rules, they can interpret the requirements and how they apply to your environment and that's very critical to many organizations.

David Goodale:

Perfect. I probably hijacked your train of thought there, but you were going to talk about the, we talked to SAQA-EP and the redirect, can you get back to what you're going to say? I apologize certainly for putting Her off there.

Robert Spivak:

The key thing with version 3 21, which is now expiring as of March 2024, is that those requirements are changing in version 4.0. If once you've passed March 2024 and you complete your SAQA, it includes a requirement now that you must do the scanning anyway. To get ahead of the game and to be able to comply with that, you should start your scanning as soon as possible. Did,

David Goodale:

Oh, did so did you just say that in version 4 you have to do the scan even if you're doing the redirect?

Robert Spivak:

Correct. The council has changed that and you can see it in our Free e-book on our website. We've talked about this and the requirements themselves have changed to re-require scanning with or without an iframe.

David Goodale:

The analogy that I always gave to merchants for SAQ A, like the easiest version of PCI is, it's that if you don't have any gold, you don't need security bars. There's just, there's nothing to store. With a merchant that's redirecting, let's just think back to the old days of PayPal, like way back in the day, you'd be on the merchant's website pay by PayPal and then you are taken off the merchant's website. Wham, you're on a PayPal landing page, you can log into your PayPal account or just enter a credit card number. My point is this is totally off the merchant's website. What would even get scanned, would it be the PayPal landing page or would it be the merchant's website?

Robert Spivak:

PCI is very specific. When you sign up to process credit cards with your bank, they have an agreement with the card brands, Visa, MasterCard, Discover, AmEx, JCB, and China Union Pay. That includes debit and credit cards. People need to understand today you can take your debit card, go on a website and use Visa debit on them. It's like a credit card. The key to that is that you're accountable for every transaction that's taken on your behalf. Even if you send that to a PayPal snap Pay any of those services that are out there, even if you used a square device on a cell phone or your tablet because you're collecting that information for the services that you're providing, you are accountable for the security of that data and if it's compromised. You're still required to ensure that the third party you're using is PCI-compliant for the services they're offering you.

Robert Spivak:

Something that we have a really good blog article on our website about is understanding how to validate your third-party service providers. If I am using for example PayPal, I need to understand what is it that they're giving to me. Is it only the payment page? Are they providing any other services for me like chargeback control could be anything along the lines of ensuring velocity checks are happening, any of those types of security features? I have to ensure that what they've given me from their Attestation of Compliance or their AOC states that the service they're providing you is PCI compliant and that they're attesting to the controls that they have to ensure are compliant. Typically, within the station of compliance, you'll also get what's called the responsibility matrix. It's very important to read through that because that will dictate what your service provider will take care of versus what they expect you to continue doing.

Robert Spivak:

That can be misleading if you don't know how to read it correctly. For example, we've got clients that use acquirers or banks that provide payment terminals or they provide the website and it is fully redirected as you mentioned. They believe that everything's being taken care of by that bank or that hosting company or whatever it is. When you read the actual responsibility matrix, you find out that they will take care of maybe the pen testing, and the vulnerability scanning, they may take care of the actual processing and the web development, however, they expect you to still be involved in incident response and contract negotiations. They may even provide you a portal where you can see the transactions and that might be where you can see clear text data. Now your laptop when it connects to that web portal may be what's called a virtual terminal and that may cause some PCI scope creep that you weren't expecting. It's very important to understand where the lines are drawn and what you're responsible for, how it affects your PCI scope, and what your third parties are doing.

David Goodale:

I'm so glad you just said that Robert, because you're here, you're an expert and I have a question that I've wanted to ask you for a long time. Here's the thing. I always, for the reasons we've discussed so far, encourage merchants to try to get into SAQ A, which you can control over because a merchant can integrate their website into a payment processor in different ways. They could take the credit card themselves and pass it at a server-to-server level, meaning their server receives a credit card number. Then so the merchants, this is merchant watches is your website gets a credit card number and your website sends a credit card number to your processor. That's option A. Then option B, what we talked about before is you redirect away, like you say, hey, get off my website, go over to the payment processor's website, and enter your credit card number there.

David Goodale:

That gets you into SAQ A or, as you've described, there could be scope creep. Here's my point, the PCI compliance questionnaires that I have seen, it asks merchants, how do you accept credit cards online because we're primarily an e-commerce payment processor. The merchants tick online and then there's another option retail-like point of sale. Our merchants don't typically do that anyways. Then, the third option is a virtual terminal. For anybody watching a virtual terminal is very simple. It's just a webpage on a page on the web where you log in and click a button and you type in the credit card number, you type in the expiry date, and you type in the amount if you want you type in the CVV code if you want, you can type in the customer's billing address if you want.

David Goodale:

You can type in the customer's email address; I'll email them a receipt. All I'm saying is it's a very simple webpage where you can manually type in a credit card number and an amount hit the process button, and the transactions process. Every e-commerce payment processor provides a virtual terminal. What merchant does e-commerce sales that when customers happen to call in with a question, they say no, no, no, just go to the website? I don't want to deal with you. That doesn't happen. For every single merchant at all the payment gateways that I work with, there's always a virtual terminal built into the gateway. That my long-winded way to make this point is my understanding is if you're a multi-channel merchant, meaning e-commerce and virtual terminal, you don't get to do SAQ A, you have to do SAQ D, which is what I call the nightmare from the late person's terms. How can anybody qualify, for SAQ A if they're an e-commerce merchant?

Robert Spivak:

There is some progress happening at the acquirer or provider level. One of the key things with the virtual terminal is are you seeing full credit, and credit card data. In many of those virtual terminals now they can disable the function for you to process a manual payment. If you're looking at transactions, they're all truncated. You're not creating scope because you're not seeing full credit cards and you can't do that. You are correct in that if you are taking credit cards over the phone, which is one of the biggest challenges we run into with every client we talk to, whether you have a call center, you have a cell phone or you have a VoIP system. When you take that credit card over the phone, you are now creating scope because the person is speaking it in a VoIP system that is now digital in information.

Robert Spivak:

If it's not properly scoped, your entire VoIP infrastructure can now become in scope for PCI, and that can be a monumental task to correct. We've worked with many organizations to be able to reduce that scope or even eliminate it when it makes sense. It is kind of a hidden gem when it comes to PCI scope where many organizations just believe, well we're taking over the phone, that's fine, I'm only going to worry about the terminal. You have to worry about the phone system as well because there are videos out there, there are all sorts of research where they can show that if I can hack a VoIP system, I can transcribe all the information that someone's speaking as you know with accessibility, that's a readily available item. I can transcribe that credit card, the expiry date, and the CVV two data that is being trans-transmitted via voice because now it's digital content.

Robert Spivak:

Back to your original question though, you're right in that if you are taking credit cards in any other manner except through an e-commerce channel, you are what we call what you call the multi-channel merchant or you have multiple data flows and you do need to document them, diagram them and have a narrative that explains at a very clear and concise way how the TRA data passes through the different nodes or different infrastructure that you have. Is it encrypted from when you enter it to the actual website that you're going to? Our recommendation to all our customers is it's okay that you have to do the SAQ D. What you have the benefit of is you can use what's called reduced applicability. I would take the SAQ D, I would only look at the requirements for SAQ A and CVTI would combine those in and look at those particular ones and validate those and the rest are not applicable because they don't apply to your environment. You have to have someone knowledgeable enough to be able to decipher that, really massage the information, and make sure that you're answering the right requirements. You are correct, the SAQ is the hardest one and of course, a SAQ D service provider makes it even more complex because as you know, a service provider can still be a merchant and they can be taking credit cards but you need to know which SAQ to fill out at that point.

David Goodale:

Now I do have another thank you for that Robert because that does help clarify. What if a merchant instead said, hey look, I'm an e-commerce merchant and I'm a virtual terminal merchant? Could they fill out SAQ A for the e-commerce and the virtual terminal? I think it's SAQ-VT or something. What's the name of that one you probably

Robert Spivak:

SAQ C-VT.

David Goodale:

See, so could they fill out SAQ A and SAQ C-VT and that covers them because they've done the two rather than go to SAQ D which has 10,000 questions that don't apply to them? If they just did the two that do, is that acceptable under PCI rules?

Robert Spivak:

Under PCI, they're not going to dictate what you need to do. The PCI council will tell you that you need to speak to your acquirer or the card brands. Now depending on the acquirer you're using and the conversation you have with them, they may be okay with you filling out two separate SQAs for the two environments. As long as you can demonstrate or explain that. One is maybe with a third party and this is particular to one or two workstations and I have the right controls around it. We have seen that happen with some clients, but over time what typically happens is the acquirer will say, look it's just easier for us from a reporting perspective to the SAQ D. I would recommend talking to your acquirer about the situation you're in and getting some guidance from them or engaging a QSA company to give you some recommendations and they can work with you and your acquirer to come up with what the right solution works for you.

David Goodale:

Okay. I'm going to ask a question about, and I mean this one from a practical sense as much as reasonably possible, so a small to mid-size e-commerce merchant, if they're comp not compliant, what's the risk? I mean the real risk is if they're not storing cards so they don't touch cards, maybe they're redirecting but they're and don't touch cards. I'm not worried about it. What's the risk of that type of Merchant?

Robert Spivak:

Great question. One of the key things that you have to understand with PCI is that noncompliance is not an option. Yes, you can be non-compliant for some time because you're working on your compliance or you're trying to get compliant. Over time the risk is that from a technical perspective, and let's just park PCI for a minute and what the restrictions are there, but from a technical perspective, most e-commerce sites are hit with what's called a man-in-the-middle attack. For those that may not know what that means, it's I can make a copy of your website without you knowing and if you don't have the right security controls, I can create another webpage that's in between your site and my site. When a consumer goes, they are none the wiser they think that they're on your website, they actually, capture the information and I could pass it along to your website and you wouldn't even know I was there.

Robert Spivak:

Unless you have the right detective controls and the right kind of functions and security controls within the website, I could sit there for months collecting credit card data. You wouldn't know, the consumer wouldn't know. Even that's with an iframe that goes to a third party. It's really important to ensure that you're doing the right security things even outside of PCI. General security cybersecurity is important. What happens with PCI is we layer on the lens of how are you protecting the credit card data? Even if you're using that third party that you're sending the credit card data through an iframe or redirect, your website is still susceptible to attacks. If you're not maintaining the core libraries, the web functions doing the proper kind of scanning. Now let's bring back PCI number one risk that you'll run into is an increase in interchange fees and processing fees, especially if you're not compliant over time that will be something that your acquirer or your processor will tell you, because of noncompliance we're going to charge you an extra 2 cents per transaction or another 3% interchange fee.

Robert Spivak:

That's one way that you could be impacted by non-compliance. Of course, if you are compromised in any way, shape, or form, there are some severe fines for being non-compliant. They can range anywhere from $5,000 a month right up to half a million dollars. US and, again, I'm not here to sell FUD or to scare anybody into it, it's information that you can search and find over time the card brands have the right, to because it's part of your agreement to terminate or suspend your credit processing rights. As an e-commerce merchant, they can kill a hundred percent of your transaction processing unless you go to something else. Those are some of the risks that you face for noncompliance over time immediately you may not notice it, and you may not even realize it, but we've seen this with other clients that took a prolonged period to get compliant. They kind of put it off, said we got more important things to do about or we don't have the budget or we have this legacy system that we have to interface with and it's going to take a long time. The card brands, and your processors are understanding, they're not there to ruin your business or to cut you off. That's the last thing they want to do. They do want you to protect the data. Over time, you do need to be able to show that you're making an effort to get compliant and eventually become compliant.

David Goodale:

That's a great answer I, do think in my limited experience, because I, don't deal with PCI very often, I think like Walmart should be held to a higher standard than, you know, some person that decides to sell mittens online and does $500 a month of it. I guess I know there are different tiers of compliance, but also in regards to fines, I think it would look very bad on the brands themselves to come down heavy-handed on a fine, a, on a small business unless it was something egregious. What have you seen in that regard?

Robert Spivak:

Very good question. Normally a large merchant and you said it correctly, there are four tiers of merchants that the card brands dictate. It's on the PCI council website, it's also on the individual card brand sites and they have varying programs. The rule of thumb is if you're doing more than 6 million transactions, and God loves you if you are, you're considered a level one merchant, even if it's e-commerce. E-Commerce has some special rules over 300,000 transactions. Let's, for a rule of thumb, let's call it 6 million or more. If you're 1 million to 6 million, you're a level two. If you're 300,000 to a million, you're a level three, and for anything under 300,000 transactions, you're typically a level four. In e-commerce, I believe the barrier is 300,000 or more. You're automatically considered a level one cause e-commerce is considered a high-risk function or payment channel.

Robert Spivak:

That being said, those larger merchants are held to a higher standard with a report on compliance, which is required by a third-party company like Control Gap that would come in. They would spend the time to understand all the data flows, they would analyze all the systems, they will go through secure configurations, all the documentation, and all the evidence to show that they are compliant with every rule, and every requirement as necessary. Smaller merchants with self-assessment questionnaires typically will not see large fines like that, but they could be large companies, they just have a low volume of transactions. We do have some clients that are what we call low volume, high price point. They fill out an SAQ but they could still be fined 5,000, $10,000 a month or they could have their interchange fees increased because they are still considered high risk.

Robert Spivak:

Although volumes might be low, they realize that there's a risk because if you're compromising transactions for a $3,000 jacket or $2,000 shoes, it's still fraud that the card brands have to deal with. Sometimes it has nothing to do with the volume of transactions, but it has to do with the evaluation or the types of goods you're, you're selling. One last point I'd like to make about risk is your brand reputation. This is something that most organizations don't think about until we've had the conversation or a compromise happens. No one wants to be in the newspaper saying you've been compromised for a credit card breach or any kind of compromise, whether it's cybersecurity privacy, PCI being compliant means that you've spent the time and energy and you have the commitment to ensuring that you're going to protect your customer's data. Sometimes that customer data is yours because you may buy your products.

Robert Spivak:

You're protecting your data as much as you're protecting your consumers and keeping in mind that you have both debit and credit card data, you could be affecting people's bank accounts, not just their credit limit on their credit card. That money could be to be taken out straight from their bank account, not just from a credit card that they're using. Having that commitment shows your customers, it shows the people who visit your website that we take it that seriously. We think it's that important and that's why you should come to us. That's a big, I think, proponent for a lot of organizations from a brand perspective,

David Goodale:

Well definitely trust is something like once it's gone, it's really hard to get back, if not impossible. I'm going to ask a question, Robert, and I don't know if you're okay with this question, but I'm thinking like the typical small to mid-size. Like if I'm an e-commerce merchant doing 75-100 thousand dollars in gross sales per month and, they need help with PCI because it is challenging, would Control Gap be a good choice for them? Just a rough ballpark, what is the cost in the timeframe to get through that exercise where they can say, okay, I am compliant?

Robert Spivak:

That's a great question. Control Gap has always taken a consultative approach when it comes to any compliance programs that we work with, especially PCI. We like to say we take a pragmatic approach to compliance and you can use us as much or as little as you need. We can have consulting engagements where we can give you advice, and figure out the scope of your environment from there, if you feel comfortable that you can continue, you can proceed. We do help many organizations with their SAQs determining which ones they are and creating what we call a scope document. That is a document that you can use that describes your environment. No matter who you're talking to, whether it's your bank, the brands, QSA company, hopefully, it's Control Gap. Even if it's not us, if anyone were to ask, hey, what is our PCI scope, what is our PCI risk?

Robert Spivak:

This is a document you can hand them and it articulates all the information that they need to know about what your PCI ecosystem looks like and your payment ecosystem. Definitely from our perspective, we are willing to help everyone. A typical engagement for an SAQ is usually a couple of weeks. It could be a little longer depending on the complexity of where you are in your PCI journey and the costs are pretty reasonable. You know, we can certainly have anybody give us a call. We can share that information with you. One of the reasons why is that there are, as you mentioned at the beginning, complex components to this that we need to understand before we could give you an answer. That being said, give us a call. We're happy to start a conversation and see where that goes.

David Goodale:

If folks did want to get a hold of you, where would they, where would they do?

Robert Spivak:

The easiest way is you can go to our website www.controlgap.com or you can email pci@controlgap.com and we're happy to get back to you as fast as possible.

David Goodale:

That's great. Robert, this is such a broad topic, it's one of the reasons you can't tell people how much it'll cost because it's like saying, hey, build me a house. Well, is this a one-bedroom, you know, bungalow or is this the Taj Mahal? Robert, I've done my best to ask the questions that I could think of. It is a fairly complicated topic. Is there anything that I haven't thought to ask about PCI that you'd like to tell folks so they're aware of?

Robert Spivak:

Thank you very much, David. One of the biggest things that we like to look at from a PCI perspective is you need to understand your payment ecosystem. Where are you taking credit cards? How are you taking them? Even if it's you've been around for 20 years, what did you do in the past? There are many organizations where we ask questions around, did you take it over the phone? Did you take it over fax? Did you take it in the mail? How did you take those credit cards in the past? Because a lot of times Joe has a box in his garage that was forgotten about because it's a small company. The other big thing is to keep on top of the brands and the PCI council website where you're going to get information about PCI. They have some great repositories, documentation, FAQs, or frequently asked questions that you can read up on and just get educated.

Robert Spivak:

If you're struggling with PCI, give us a call. Sometimes it's just better to talk to an expert and just get some time with us to be able to explain what your world looks like. Keep in mind, March 2024 is when 4.0 goes live and you have to comply with it. There's no deadline extension beyond March 2024. Then there are an additional four requirements that come into effect in March 2025. Your headache doesn't stop because you're compliant with 4.0. After all, you still need to take a look at that March 2025 sunset date for many of the requirements. Again, download our e-book, it'll give you some great insights into that. Again, at control www.controlgap.com. We're on LinkedIn, you can reach out to us. We're happy to help.

David Goodale:

Robert, it's been educational, and thanks so much for joining today.

Robert Spivak:

My pleasure, David. Take care.

---

Need professional guidance?
Contact us for a free one hour consultation.

---