On April 20th, 2011, the headlines read, “Sony PlayStation Network hacked, again. 77 million accounts compromised.”
On December 18th, 2011, newspapers reported “Target victim of a massive data breach, data from 40 million credit cards stolen.”
On October 23th, 2015, “TalkTalk hacked by a group of 15-year-olds, data of 4 million customers breached”
This is just a small selection of data breaches that have happened in the past few years and yet, here you are thinking “meh, I’ll be fine.” Famous last words.
Look, I get it, the cost of becoming PCI compliant is high. It’s a long process that takes all kinds of resources. Who has time for that? Plus, everything has been fine so far, so why worry. Right?
For one thing, when you’re not compliant, and the worst happens, your company will be liable for all damages. This could involve tens of millions of dollars. Not fun. And you won’t win any brownie points with your customers either.
Secondly, when was the last time you actually looked into what it really takes to become compliant? I don’t mean Googling “PCI compliance” but actually reading the documentation?
I thought so.
Instead of making up scenarios in your head about how bad the process is, why don’t we walk through the steps together and discuss the real-life implications?
Sounds good? Great! Let’s get started.
What is PCI Compliance?
PCI compliance, for those who are new to the concept, is officially known as Payment Card Industry Data Security Standard (PCI DSS). It’s a proprietary information security standard for all organizations that store, process or transmit branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB.
It contains a set of security requirements that include everything from how your POS should be set up under your wireless WAN to eCommerce and more.
It’s a universal security standard that was first set up in December of 2004 when the aforementioned credit card companies came together to form Payment Card Industry Security Standards Council (PCI SSC) - the organization behind PCI DSS. The most current PCI DSS (version 3.1) came out in April 2015.
Before the formal security standard was established, different credit card companies had their own set of rules and regulations regarding credit and debit card security with roughly the same aim: to create an additional level of protection for card issuers by ensuring that merchants met minimum levels of security when they store, process and transmit cardholder data.
Screenshot of PCI Security Standards Council homepage
Is PCI Compliance Mandatory for Everyone?
By federal law, PCI DSS is not required in the U.S. However, some state-level laws refer to PCI DSS directly. For example, in 2009, Nevada incorporated PCI compliance into state law, requiring compliance of merchants doing business in the state and shielding compliant organizations from liability.
Similar laws were also enacted in Washington in 2010. However, PCI compliance was not made mandatory but, like Nevada, compliant organizations are shielded from liability.
Even without federal laws, PCI DSS compliance is required by major credit card schemes once your business reaches a certain size. And there are monetary penalties if organizations remain non-compliant. The fines can range from hundreds to hundreds of thousands of US dollars. Plus, in the case of a breach, you’ll be liable for all damages.
But since it’s a security issue you probably shouldn’t skimp on your business and customers’ security anyhow.
The Road to PCI Compliance
The truth of the matter is that becoming PCI compliant is only this huge complicated thing if you want it to be.
That’s because PCI DSS is set up in such a way that your responsibilities and requirements increase as you scale up your operations. So, you can take it one step at a time - as your business grows.
Now that you can relax a little, let's get started.
The road to PCI compliance consists of a set of hurdles created by three entities:
The Payment Card Industry Security Standards Council (the organization behind PCI DSS)
PCI Security Standards Council (PCI SSC) created the PCI Data Security Standard (PCI DSS) to make it easier for everyone to understand and comply with the standard which contains a laundry list of possible requirements (more on that later).
Major credit card companies (Visa, MasterCard, American Express, Discover and JCB)
- Acquirer bank/payments processor
Both banks and credit card companies can enforce additional requirements that are not covered by the PCI compliance standard. So, you’ll need to be prepared for unforeseen hurdles on a case-by-base basis.
When dealing with PCI DSS requirements, you can either go through the process yourself or get help from a PCI SSC Qualified Security Assessor (QSA) who will do most of the work for you.
Still, it’s a good idea to go through the process at least once to get an overview of what’s required and to make an informed decisions. Then, as your organization grows (and it gets increasingly difficult to manage everything by yourself) it makes more sense to bring in expert help.
Now that you understand “why” you need to be PCI compliant, let’s dive into the “how.” We’ll walk you through all of the requirements, starting with the credit card companies’ required levels of compliance. Then, we’ll talk about PCI DSS questionnaires, attestation and finally conducting a security/vulnerability scan.
Step 1: Determine Your Compliance “Level”
The first thing you need to do is to figure out which “level” of compliance your business falls under. For that you need to collect data on how many transactions are done with all the major credit card brands, ideally separated also by channel e.g. in-store or online.
Unfortunately, major credit card brands can’t seem to agree on how many levels are required for merchant compliance. For example, Visa has 4 Levels of compliance, while MasterCard has 5. And even if the name of the level is the same, the requirements and documentation needed by each credit card company varies.
For example, under the Visa compliance scheme, a “Level 3” merchant is a company that has 2,000 to 1 million ecommerce-only transactions per year. Meanwhile, the same “Level 3” for American Express means that you have less than 50,000 total transactions with them per year (see the chart below for more details).
Screenshot of American Express compliance “levels”
The one good thing about compliance levels is that although they are named differently, the documentation needed is basically the same. This includes an annual Self Assessment Questionnaire (more on that later) and a quarterly network scan performed by an Approved Scanning Vendor (more on that later).
Below is a handy list of links to help you understand the definition of compliance “levels” for each of the credit card brands:
Step 2: Complete the Self Assessment Questionnaire
The PCI DSS Self-Assessment Questionnaire (SAQ) is a set of documents that contain questions based on the requirements of the PCI DSS. In total, there are 12 requirements for compliance that are organized into 6 logically related groups. See the chart below for more details on the most current version (v3.1).
Image via Jackie Chen's IT Workshop
Each of the 12 high-level requirements described above have additional into sub-requirements. For example requirement #11 “Regularly test security systems and processes” has 6 sub-requirements.
Luckily, the documentation that comes with the requirements is very thorough and offers procedures and guidance with all of them (see an example below):
Screenshot of PCI DSS requirements document
In total there are 9 different variations of the SAQ. But you only need to comply with the specific SAQ that corresponds to your setup.
The variation that you need is dependant on how your organization handles credit card data, if any. For eCommerce-only setups, the ones to look into are SAQ type A or alternatively type A-EP (as described in the chart below):
Card-not-present merchants (eCommerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS validated third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises
E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises.
The key difference between SAQ A or A-EP is in the requirements that you need to fulfill in order to be compliant. Questionnaire A has ~20 questions/requirements while A-EP has over a 100. So, it’s important that you identify the right questionnaire early on – so you don’t waste time filling out unnecessary paperwork.
To make your life easier, contact your payments provider to find out which version of the SAQ (A or A-EP) you can or should use. For example, Stripe, is fully compatible with the latest revisions to SAQ A, while others might not be.
As a final note on SAQs, the various versions of the questionnaire contain only the questions/requirements and offer no guidance. If you do need help, open up the PCI DSS source document and follow the requirements from there. The document contains procedures and guidance on all requirements and sub-requirements.
Step 3: Attestation of Compliance
After answering the SAQ, you’ll need to complete the relevant Attestation of Compliance (AOC). This is necessary to validate that you have complied with all the applicable steps.
Like the questionnaire (SAQ) before, AOC has 9 different versions (and you only need to complete the one that is relevant to your business). They are attached to the same file as your questionnaire, so you don’t need to find anything extra.
Additionally, in extraordinary cases, merchants might be asked to also fill “PCI DSS Designated Entities Supplemental Validation.”
Examples of organizations that would need this include those storing, processing, or transmitting very large volumes of cardholder data - or businesses that have suffered significant or repeated breaches of cardholder data.
Step 4: Submitting the Documents
The final step is to submit your filled SAQ and the AOC along with any other documentation, such as an ASV scan reports (see below for more details) to your acquirer bank and to the needed payment brands as requested.
Validation of compliance is then performed annually, either by an external Qualified Security Assessor (QSA) that creates a Report on Compliance (ROC) for organizations handling large volumes of transactions or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes.
What About ASV and External Vulnerability Scans?
An Approved Scanning Vendor (ASV) is an organization with a set of security services and tools (ASV scan solutions) that conduct external vulnerability scanning services to validate adherence with the external scanning requirements.
As for if you need it, it depends.
If you’re applying for an SAQ A-EP, you need it. It’s one of the questions in the form:
Screenshot from PCI SAQ A-EP form
And while AOC A includes the question in the screenshot below, it doesn’t necessarily mean that you need to be performing scans by approved ASVs. The form (SAQ A) doesn’t say that you need to check that box, it only says to “Check all that apply.”
Screenshot from PCI SAQ/AOC A form
So, from the point of view of SAQ/AOC A, an ASV scan is not needed. At the same time, some acquirers (payment providers) have it as one of the requirements to use their services. Again, it’s important to speak with your providers directly – even if you’re applying for SAQ A.
For a list of PCI SSC approved scanning vendors, click here. The scanning vendors’ ASV scan solution is tested and approved by PCI SSC before an ASV is added to the list.
Compliance Process Summary
To recap, this is what you need to become PCI Compliant:
Determine your compliance “level” with your bank and different credit card companies. Remember, each has their own slightly different rules.
Complete the relevant Self-Assessment Questionnaire according to it’s instructions.
Complete the relevant Attestation of Compliance form (contained in your SAQ form).
If needed, complete and obtain evidence of passing the external vulnerability scans by an approved ASV.
- Submit all of the above + any extra documentation that your acquirer bank and/or credit card brand and/or payments provider demanded.
What About EMV Cards? Don’t They Make Me PCI Compliant by Default?
EMV is a technical standard for smart payment cards and for payment terminals and automated teller machines that can accept them. EMV cards are smart cards (also called chip cards or IC cards) which store their data on integrated circuits rather than magnetic stripes (check the picture below).
Image via WikiMedia Commons
As for PCI compliance, the short answer is no. EMV cards don’t satisfy any PCI requirements, nor does it reduce PCI scope.
While cards with EMV chips represent a significant improvement in offline credit and debit card fraud detection and prevention, it does very little for the online world. EMV only works for transactions where you are physically using the card. It does not encrypt the data on card/chip. So, for online transactions, the card data must still be protected according to PCI guidelines.
It does, however, make a difference when you also have a brick-and-mortar outlet where you accept card payments. As you’re most probably going to have to upgrade your devices anyway, it would make sense to get EMV terminals with point-to-point encryption (P2PE) capabilities to reduce offline PCI scope and protect your data end-to-end.
Still, even if all your transactions occur online you’ll want to take a closer look at your payment gateway and its acceptance methods. As EMV chip cards with their strengthened offline security go into effect, more and more credit card fraud is likely to move online. So, be prepared for that. It’s what happened in Europe, and is expected for the States.
Image via EMVCo
What is PCI Compliance Going to Cost Me?
When it comes to putting monetary values behind becoming PCI compliant, things get a bit tricky.
For one thing, there are a variety of factors that play a role in assessing “PCI costs.” Your company size (# of employees, revenue), the # of transactions per credit card company, your current security measures, how and by whom are transactions handled by and many more other things all play a role.
Even if we take a similar sized company with similar sales and security measures currently in place, the simplest thing like who is handling their online payments can add or remove huge costs from the equation.
The second, and for me, bigger reason for why I personally have a problem talking about “PCI costs” is that PCI Data Security Standard is simply a set of rules and requirements which were put in place when fraud started to become a major problem and merchants didn’t seem that interested in protecting their customers’ data.
So, the big credit card companies came together and decided to make everyone’s life better by putting in place a defined set of security requirements that protected everyone's data.
Sure, the credit card companies only did it because they got sick and tired of picking up the tab for all the fraud for which they were liable. So, they created a system in which the responsibility moves to merchants. BUT if the end result is better security for everyone, I don’t see a problem with that.
So, it’s important to understand that costs only seem high because so many businesses didn’t pay enough attention to their customers’ data security earlier on.
Still, we always try and include any and all relevant data that we find on the topic at hand and it’s the same with PCI costs. So, I’ve summarized the data I’ve managed to find on the topic.
- Gartner estimated that in 2007 the nation’s biggest merchants spent ~$125,000 assessing the scope required for PCI-related work, plus another ~$568,000 to meet the requirements. Merchants with 1 to 6 million transactions per card type spent in the ballpark of ~$105,00 for scoping and ~$267,000 for compliance. And merchants with 20,000 up to 1 million transactions per card type expected to spend between ~$44,000 on scoping and ~$81,000 for compliance.
- A newer study by the Ponemon Industry in 2010 found that the largest merchants are paying on average $225,000 for compliance-related work and that 10% of the largest ones are paying $500,000 or more annually.
Again, these are “on average” numbers. So, the costs involved will vary greatly from company to company.
A Final Note on Data Breaches
Image via WikiMedia
As I previously mentioned, data breaches due to the serious lack of meaningful security practices are the reason that the Payment Card Industry Security Standards Council was formed back in 2004.
According to latest data from “2015 Cost of Data Breach Study” done by Ponemon Institute that looked at 350 companies from 11 countries, the total cost of data breaches per case basis has increased 23% from 2013 and now reaches on average $3.79 million.
Meanwhile, the average cost per lost or stolen record has increased 12% since 2013 and now reaches $154. It’s important to note that this is an average number taken from data across the world. Looking at specific countries, such as in India, the average cost per record is the lowest at $56 while in the US that number reaches $217.
And it’s not just purely money that is lost either. When you suffer a major data breach it will disrupt your normal business operations as you try to understand what has happened. This translates directly to lost business and, more importantly, loss of trust for your brand.
Perhaps one the most highly publicized recent data breaches (right next to the Ashley Madison hack this past summer) is the one that happened with Target back in November and December of 2013. In total, data from 40 million credit and debit cards and 110 million customers was stolen. That one hack alone cost Target at least $162 million.
Funnily enough, it’s so well known that when you search for the term “data breach” on Google and look for images, Target is one of the sub-categories.
Screenshot via Google
While another breach at Home Depot in September of 2014 cost credit unions nearly $60 million and effected more than 7 million debit and credit cards. There’s no data on how much the company itself ended up paying.
With hacks happening more frequently, even with organizations that are PCI compliant, it raises the question of what’s the point of being compliant when successful attacks can still take a business down? On the one hand, being compliant gives you reassurance that when an attack does happen, you’re not directly liable to credit card companies from fraud that will come from someone hacking you.
On the other hand, it’s important to note that PCI compliance doesn’t guarantee safety. In fact, the PCI Security Standards council say themselves that PCI compliance should be followed as the minimum requirements for protecting your business and customers. And there is always room for more steps and security measures to be implemented.
And in 2009, Visa’s Chief Enterprise Risk Officer, Ellen Richey, said that Payment Card Industry Data Security Standard "remains an effective security tool when implemented properly," adding that "no compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach."
Wait, Can Shopify Plus Help Me Out With PCI Compliance?
When it comes to compliance of Shopify Plus powered stores, I’m happy to say that we meet all of the PCI Level 1 compliance standards.
This means that when you choose Shopify to power your online store, you can rest easy knowing that we invested significant time and money to obtain our PCI certification and that our certification covers your online store, its shopping cart and web hosting.
PCI compliance is not this huge monster that’s out to get you, it’s actually a logical process with well-defined steps and lots of supporting documentation. And in the end, it’s there to save you from a world of potential pain.
Do you want to be the next Target or Home Depot? Or, is it finally time to take PCI compliance seriously? Replatforming to Shopify Plus can save you a lot of time and resources to get you there faster. Just saying... It wouldn’t be the worst idea in the world.
About The Author
Ott Niggulis is a chef/paramedic/freelance writer who focuses on marketing and CRO. Marketing is a numbers game and he loves numbers. Follow him on Twitter.