Achieving eCommerce PCI Compliance Affordably

PCI Compliance is a common buzzword and topic among businesses that are looking to start or run an eCommerce website. It is often a misunderstood and simply confusing topic that business owners have to be concerned with due to the potential implications of not being PCI compliant.
You can start by reading up on the PCI Compliance standards website. The first thing you will want to know is what tier you fall into. PCI Compliance will group you into four tiers in which there are varying degrees of things you have to accomplish to be PCI Compliant.

The Tiers:

• PCI Compliance Level 1
  Over 6 million Visa and or Mastercard eCommerce transactions processed per year
• PCI Compliance Level 2
  1 million to 6 million Visa and or Mastercard eCommerce transactions processed per year
• PCI Compliance Level 3
  20,000 to 1 million Visa and or Mastercard eCommerce transactions processed per year
• PCI Compliance Level 4
  Less than 20,000 Visa and or Mastercard eCommerce transactions processed per year all other companies that process up to 1 million Visa transactions per year

Depending on the tier, there are different requirements for what you need to do to stay compliant. Of course, tier 1, requires the most work, given it is the highest eCommerce transaction volume. For the most part you will have to do these things according to the PCI compliance guide, if you are a smaller level 4 merchant:
1) Determine which Self Assessment Questionnaire (SAQ) your business should use to validate compliance.
2) Complete the Self-Assessment Questionnaire according to the instructions it contains.
3) Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV). Note scanning does not apply to all merchants. It is required for SAQ A-EP, SAQ B-IP, SAQ C, SAQ D-Merchant and SAQ D-Service Provider.
4) Complete the relevant Attestation of Compliance in its entirety (located in the SAQ tool).
5) Submit the SAQ, evidence of a passing scan (if applicable), and the Attestation of Compliance, along with any other requested documentation, to your acquirer.

eCommerce Platform:

One very important thing to figure out is if your eCommerce platform is PCI compliant out of the box. For the most part if you platform is SaaS based like Shopify or BigCommerce,  and they will most likely take care of most of the PCI compliance for you. However if you use an open source platform like Magento or WooCommerce, the burden falls more on the merchant to ensure it is hosted and setup properly to be PCI compliant. Investigate what is required of your platform to become PCI compliant.

Payment Gateway:

Your payment gateway is an important part of PCI compliance and should handle the security risks associated with PCI compliance. Make sure your payment gateway is PCI compliant or is setup in a way that qualifies your for PCI compliance.
One option is to redirect users to the payment gateway itself like a Paypal for instance. The other is to integrate the payment gateway into your site. If you do so make sure the integration is well designed and PCI compliant.

Hosting:

Finding a reliable PCI compliant hosting provider is another important aspect of PCI Compliance. If you are not using a SaaS platform you will want to find a PCI compliant hosting provider that can help provide security and ensure your eCommerce website is well taken care of.

Third Party Software Development:

A quality third party software team, like our team at Trellis, will work on your site locally. We do this on our machines before we push to Git, a version control software. Finally it is passed to a development or staging website for testing. If you want to ensure your customer data is safe you may want to have some sort of database scrubbing process in which you mimic the database of the live site. Make sure to only give your developers fake data that is not the real data but has the same data structure so they can emulate what it will be like on the live site.

Self Assessment Test:

Each year you will want to take the self assessment test as explained earlier in this section. It might make sense to consult a third party PCI compliance approved scanning vendor to help you ensure your are answering the questions correctly.

Third Party Approved Scanning Vendors:

There are many approved scanning vendors that can ensure you are PCI compliant. Several sites like the PCI Security Standards Council have a list of the designated scanners in each country.

Storing Credit Card Data:

Storing credit card data is the most risky part of becoming PCI Compliance. Many eCommerce platforms will not actually store all the credit card data and simply just four of the digits. If you do want to store all the credit card data it might make sense to look into third parties who can do this for you, who will take on the burden of this security risk or to simply not store it at all.