Home > News and Blog

What is PCI compliance?

Updated on May 16, 2022
(Originally posted March 30, 2020)
by David Goodale

PCI Compliance: What merchants need to know

PCI DSS is an acronym that stands for "Payment Card Industry Data Security Standard". It is a set of security related rules created by the credit card brands that merchants need to follow. The purpose of these rules is to protect the credit card details that merchants handle when accepting credit card payments.

There are different tiers of PCI compliance. When a business processes more transactions it becomes harder and more complex to achieve compliance. The easiest level of PCI compliance is called tier 4, and applies to merchants that process under 20,000 transactions per year. The compliance requirements for tier 4 merchants consist of a self-assessment questionnaire, and a website vulnerability scan. An important thing to note here also is the fact that PCI DSS rules are changing and evolving. That is why even once you become PCI DSS compliant, the compliance certificate is only good for one year at a time. Every year you'll need to go through the compliance process again and may have to answer some new questions that were added since the previous year.

Does my business need to be PCI compliant?

Any business that accepts credit card payments must be PCI compliant. Even if you never touch credit card details directly, you still need to be compliant. However, compliance is much easier to achieve if you don't touch card details. (This can be achieved by relying on 3rd party systems to handle the sensitive cardholder data in the transaction flow, so that no sensitive data ever comes into your possession or contact, even temporarily).

The volume of transactions that your business processes will determine which of the 4 tiers of compliance your business will fall under. It should also be noted that if a merchant has previously suffered a data breach that resulted in customer data being compromised, they may be required to validate at the next level up from where their transaction volume would normally qualify them.

Merchants that process more than 20,000 transactions annually will fall into tiers 3, 2 or 1 of compliance. As more transactions are processed the requirements become more stringent, involving on-site audits at PCI level 1, which is the most advanced level of compliance and applicable to businesses that process in excess of 6 million transactions per year.

How do I become PCI compliant?

There are two components to achieving PCI compliance. The first is the completion of a security questionnaire, called the self-assessment questionnaire. The second component is a vulnerability scan of your website and systems that touch credit card details. If your website does not come into any contact with card details you may be able to skip the scan and complete a shortened version of the self-assessment questionnaire.

In terms of the vulnerability scan of your website, there are companies that are certified as "Approved Scanning Vendors (ASV)" by the PCI standards council. These ASV's provide scanning tools that merchants can use to test their website. They also can provide step-by-step wizards to help you through the PCI self-assessment questionnaire (SAQ) and the attestation of compliance. Often your merchant service provider will have an arrangement with an ASV so that merchants can use their services at a lower cost than they would have to pay otherwise.

Which version of the SAQ do I complete if I'm a Level 4 merchant?

Most of the people reading this blog post are likely in the Level 4 PCI compliance category, which is the easiest to pass. But depending on how your website is integrated with your merchant service provider, it can still be quite complicated.

The first step you'll take is to determine which Self-Assessment Questionnaire (SAQ) to complete. There are different versions of the SAQ depending on how your company comes into contact with credit card details. For more details see Understanding the SAQs for PCI DSS version 3.

If your website and systems never come in to contact with any cardholder data, meaning the customer is redirected to another web page and away from your website when submitting a payment, then you may qualify to fill out the "A" version of the SAQ. We highly recommend that small businesses integrate their websites that way because it is much easier to become PCI compliant. Additionally, if you don't have any credit card details in your system there is nothing for hackers or nefarious users to steal, which is another benefit of this type of integration.

SAQ # of Questions A 22 A-EP 191 B 41 B-IP 82 C-VT 79 C 180 D 329 P2PE 33

Fortunately, PCI has gotten easier for small businesses to achieve over time. In particular, the ASVs have gotten better at making it easier for merchants to complete the questionnaire itself. Trustwave is an example of an approved scanning vendor. If you were to use the Trustwave online PCI tools, you won't choose the "A" version of the SAQ yourself. The online tools that Trustwave provides will ask you a few questions at the start of the wizard and then determine the appropriate version of the SAQ for your company based on how you answered the initial questions. Those first few questions are like a fork in the road. When asked how credit card details are collected, you can answer either "on your website directly" or "collected by a 3rd party". If you answer the 3rd party then you go down the "A" road, if you say that you're collecting sensitive cardholder information directly on your webserver, then you'll likely go down the "A-EP" or "D" road. The "A" road is the shortest and easiest road to the PCI DSS finish line. The other roads can be quite long and difficult to traverse. If you don't have dedicated technical resource on staff at your company it's often best to stay on the "A" road.

This chart indicates the number of questions you need to answer for each type of SAQ.

The next part of the process is the Attestation of Compliance. This step is easy - it's basically just a declaration that you have answered the questions in the SAQ truthfully. There are also a few questions to identify the type of business you operate and the relationship between your business and any other 3rd party merchant service providers your company uses.

The last part is the vulnerability scan. If you're a level 4 merchant and you qualify for SAQ type A then this step isn't required. If your website touches card details directly then a scan will be required and depending on what kind of web hosting you have, it may be difficult to pass this scan. Since we're focusing on SAQ A we won't go into much detail about these scans.

My best recommendation is that you arrange your website checkout process in such a way that it never touches card details, allowing you to avoid these scans. If you do need to scan and vulnerabilities are found, it may be very difficult to correct these vulnerabilities depending on the type of web hosting you use for your website.

An example of the PCI compliance process for Level 4 SAQ A merchants

For the purpose of this example we'll assume a merchant is using the Trustwave PCI wizard. If you're using a PCI scanning service from another provider, it will probably be similar so you can still get a good idea of what to do.

For Merchant-Accounts.ca customers in particular, you'd open your Welcome Email that is sent when your account is opened, and click on link to the Trustwave PCI tools. This will take you to a registration page where you can create your Trustwave account and set your password. Don't forget your password because you'll need this to login to your Trustwave account again in the future.

One of the first questions you'll be asked when starting the Self Assessment Questionnaire is "how do you accept credit cards?" You'll be given the option to select Website, Mail/Telephone, or In Person. You can select all that apply to your business.

After that, you'll be asked "who is collecting credit card numbers?" and you'll have two choices: (i) A Third Party, or (ii) My Company. If you are integrated using a tokenization API or a redirect API that prevents you from touching cardholder data, or if you're using a third-party shopping cart service that hosts and handles the checkout for you, then you never touch card numbers directly and you should select the Third-Party answer. This is actually a very critical part in the questionnaire because if you answer My Company instead, you'll go down a different line of questioning that gets very technical. For merchants with less technical expertise we recommend to avoid touching card details. Avoiding all sensitive data will allow you to answer "Third Party" when asked about who is handling card details, and will make your PCI compliance process significantly easier to achieve.

Later on in the SAQ you'll be asked if your business stores any sensitive credit card data electronically. If your business does, I recommend that you stop. If you answer that you do, you'll have to answer many more additional questions about how you secure your computer / network and it can be difficult to answer. If you don't store any sensitive credit card details, then you can just answer no and get on with the rest of the questionnaire without opening that can of worms.

Most of the rest of the questionnaire is pretty self-explanatory. You'll be asked at some point if you collect any paper documents that contain credit card numbers on them. It's easiest to complete the questionnaire if you don't but if you do it shouldn't add a ton of complexity. If you do store card details on paper documents, you'll have to answer some additional questions about how those documents are stored and eventually disposed of. Basically, you need to keep them in a safe place such as a locked filing cabinet. And when you no longer need those documents they must be shredded or otherwise destroyed in an unrecoverable manner so that other people can't read them after they have been discarded.

As you progress through the sections of the Trustwave PCI questionnaire, each time a section is completed you'll see a blue checkmark appear on the right side of the page next to the completed section name. One thing that is a source of confusion for many merchants filling out this questionnaire is that once you complete a section, you click the "Next" button at the bottom of the page to move on to the next section, and after you've completed all the sections and you have all the blue check marks on the right side of the screen, you'll be done and ready to access the final page.

However, it's not obvious that you're done because there will still be a "next" button at the bottom that will take you to another section that has already bee pre-completed for you based on answers you gave previously. Some merchants get stuck in this area and think they have to keep answering questions that are already answered. But all you need to do is look at the right side of the screen where those blue check marks are, and right underneath there is a button that says, "acknowledge and submit". Once you click that button it will take you to the final page of the questionnaire.

Once you complete the questionnaire, you'll receive a PCI certificate of compliance showing that your business is compliant for the next 12 months. You need to login to your Trustwave account before the certificate expires and re-do the questionnaire to extend your compliance for another 12 months. With Trustwave they usually make it easier the next time around by giving you the option to re-use all the questions you gave the previous year. That way you won't have to answer as many questions as you did the first time.

General Challenges with PCI

When you get to the Eligibility section there will be a number of statements that you have to agree with by clicking on the checkbox next to each one. If you don't click the checkboxes you won't be able to complete the questionnaire. One of the statements that you must agree with is "Merchant retains only paper reports or receipts with cardholder data, and these documents are not received electronically." This is a cause for some confusion as many merchants don't retain any paper reports containing cardholder data at all, but the questionnaire basically requires you to agree to this statement in order to proceed. This is particular to the Trustwave PCI suite of tools, but is a good time to point out that PCI is an evolving standard. Some merchants find it frustrating to try to work through because in some situations the options may not apply exactly to your business. It is important to always be accurate and to work with your ASV if there are any questions or concerns.

Near the end of the questionnaire it asks if your business has written security policies in place regarding the security of sensitive card details. Some small businesses, and in particular sole proprietorships, probably do not have such policies in place. If you answer "no" to this question you'll fail the compliance questionnaire because written policies are a mandatory part of PCI compliance. In the case of Trustwave they've attempted to help business owners with this by providing generic policies that business owners can use. These generic policies are included so you can select the answer that "Yes, I use the polices included in my Trustwave subscription" and those policies will satisfy the requirements of the PCI DSS.

In addition to the questionnaire there are technical requirements as well. You'll need to make sure you remove any default accounts that any devices on your network come with from the factory. For example, often when you buy a new wireless router, the default login credentials to access the routers administration interface are usually something like:

• Username: admin
• Password: admin

It's not secure to leave default accounts active on any devices connected to your network. You should verify that you have removed these default accounts, or changed the passwords to something else, so when the question comes up in the PCI questionnaire asking if you have removed the default accounts, you can answer "yes".

While we're on the topic of usernames and passwords, when your merchant account application is approved and you receive your Welcome email kit, it will contain your login credentials for your merchant account. If you are the only person who will be using the merchant account, then you can just keep this singular account as it is. But if you have multiple employees who will be using the merchant account to bill customers, you should create individual user accounts for each employee. As per PCI rules you're not supposed to share one account amongst multiple users. Also, if an employee quits or gets fired, they should have their access removed from the system immediately.

You should also make sure that you keep your operating system and anti virus software continuously updated with the latest security patches. This is a requirement of PCI compliance and you will be asked about it in the questionnaire. If you're using Windows 10 then it's easy to remain compliant because Microsoft has made it automatic for Windows 10 to update with the latest patches. As long as your system is connected to the internet it should keep itself up to date all by itself. Most anti-virus software and web browsers these days keep themselves up to date as well.

What happens if I'm not PCI compliant?

If you're not PCI compliant, there are a few things that might happen. First your merchant service provider may charge you a non-compliance fee each month that you're not compliant. This might seem like the worst part of not being complaint, but things could potentially be much worse.

If your website suffers a data breach, the affected card brands (Visa/MC/AMEX/Discover/JCB) could fine your merchant service provider. The severity of these fines can range into the thousands of dollars (or well beyond for large breaches), depending on the severity of the breach. All processing agreements will state that the processor will have the right to pass on fines, and recoup losses from fines from your business. In short, when you accept credit cards you are liable for breaches. PCI is a standard that keeps your customers safe and helps to protect your business from liability in the event of a data breach. It's important to take security and PCI seriously for this reason. The good news is that the standard exists, and it's a great blueprint for merchants to work from, even if it's very challenging for some merchants to work through.

Summary

PCI compliance is simultaneously both a headache and a blessing. It is not easy to work through, and can be prohibitively challenging for small business that touch sensitive cardholder data. That is why we recommend that merchants, where possible, avoid touching cardholder data by implementing a transaction flow that prevents your systems from coming into contact with credit card information. By using modern web technologies it's possible to do this without inconveniencing your customer, and without impacting the look or feel of your website. If you have any questions about implementing a transaction flow that is friendly to your customers, but helps to avoid cardholder data to reduce your PCI scope don't hesitate to contact us.

---

Need professional guidance?
Contact us for a free one hour consultation.

---