Doing e-commerce? Are you PCI Compliant?

I’m a creative problem-solver driven by the desire to see small businesses improve their image and succeed. I’ve got over 20 years experience and have worked with clients as large as Nike and as small as a local sole-proprietor. I’ve been an advocate for education, a member of prestigious design organizations, won awards, and been invited to judge design competitions. Over the years, I have also written blogs and articles for a number of online sites and print publications. I have a heavy background in art, photography, graphic design and thinking outside the box. When not working, you’ll find me getting outdoors, practicing Qi Gong, snowboarding, camping, collecting rocks, and driving around in a sweet 1970 Camaro.

Sherry Holub

Last updated on August 27th, 2022

Back on January 1st, 2011 the credit card industry rolled out mandatory PCI Compliance for both e-commerce and traditional brick and mortar merchants who accept credit cards. Here we are 2 years later and many business owners delving into doing business online and obtaining a merchant account are still unaware of what steps they need to take in order to be PCI Compliant and avoid monthly penalty fees (or worse). Discovering just what PCI Compliance is and getting through the gauntlet of the Self Assessment Questionnaire (SAQ) and quarterly website vulnerability scans can often seem pretty overwhelming, let alone confusing if it’s your first foray into it.

First, what IS PCI Compliance?

In a nutshell, the Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that every company that processes, stores or transmits credit card information must maintain a secure environment. So if you have obtained a merchant account (usually though a financial institution or merchant services provider – a merchant account is NOT Pay Pal or other 3rd party services like that) in order to accept credit cards (Visa, MasterCard, American Express, Discover and JCB), you must be PCI Compliant, no exceptions. It does not matter how large or small your business is (you can be a large corporation or sole proprietor with a home office). PCI Compliance is also worldwide, so it applies no matter what country you are in.

I highly recommend reading the full, current PCI DSS here on the PCI Security Standards Council website. I also recommend the PCI SSC Quick Reference Guide download (PDF) and the Top 5 Security Best Practices for Small merchants download (PDF), and BluePay’s PCI Compliance Guide. Lastly, we found a wealth of information on the Control Scan website in their Library section.

What’s the worst that could happen if I’m not PCI Compliant?

Having your customer’s credit card information compromised can cause severe damage not only to your customers, but to your entire business as well. It could damage your overall reputation, cause a catastrophic loss in sales, lead to lawsuits, insurance claims, cancelled accounts, payment card issuer fines, and even government fines. Sounds scary, right? It is. And this is why you should not take running an e-commerce business online lightly. Once you’ve gone through the process of creating a professional website, jumped through all the hoops to get the merchant account set up, and done all the other things required to do business, you don’t want to ignore these PCI requirements.

Now that I’ve got your attention …

Let me clarify one thing first: we are a professional design and web development company. We are not responsible for making sure your business is PCI Compliant. We already utilize and recommend PCI Compliant web hosts and shopping carts (that do NOT store credit card data), but it is not our job to help you with, or answer questions about, the yearly Self Assessment Questionnaire (SAQ), quarterly website scans, or anything to do with your merchant account. This article is simply to give an overview of what PCI Compliance is, act as a helpful guide to resources available on the web, and offer a few tips that we’ve learned by going through the process ourselves.

What is the Self Assessment Questionnaire and website scan and where do I go for these?

The Self Assessment Questionnaire is a validation tool for service providers that are not required to go through an on-site data security assessment (so that includes e-commerce businesses). You will need to determine which SAQ to take by answering a few preliminary questions. You will need to retake this questionnaire every 12 months in order to remain PCI Compliant. When you are filling out the questionnaire, if you are not compliant in any area, you will be notified and given instructions on how to remedy the issue. You will need to do that before you can continue and become compliant. You can read more detailed information on the SAQ from the PCI Security Standards Council website here. Your merchant account provider should tell you which company they use.

The Vulnerability Scan is required quarterly if you run an e-commerce website (selling products OR services) and have a merchant account. You must use a PCI SSC Approved Scanning Vendor (ASV). Your merchant account provider will have a specific company they refer you to for this (and it can usually be found at the same company or provider’s website where you take the SAQ).

Once again, your merchant account provier should direct you to the steps you need to take in order to access the SAQs and set up website scanning. You should NOT be charged an additional fee for these services. Although some companies do offer additional services such as specific PCI training or additional scanning services that they DO charge for. If you’re ever unsure of a service related to PCI Compliance or whether you need it, call the number of the approved company or provider or your merchant account provider and ask them. There will be a PCI charge on your monthly statement, and this is normal unless that charge starts showing up as a, “PCI Non-Compliance fee” (and when that happens, it usually means you have not done the SAQ or required website vulnerability scan).

To recap, the basics you need to know in order to avoid the fees and other potential issues of being non-compliant are:

Make sure to fully read and understand the PCI Standards and Documents.
There are six categories of basic PCI Compliance and you can read those on the PCIComplianceGuide.org website.
ALWAYS use a PCI compliant host (ask us for recommendations if you need to).
ALWAYS purchase an SSL certificate for your website.
ALWAYS use strong passwords (try the Strong Password Generator here).
ALWAYS use a PCI compliant shopping cart or other e-commerce solution (ask us for recommendations if you need to).
ALWAYS have up to date firewall and virus protection software on your computer.
Do not store a customer’s credit card information on a computer or in your website’s database. Any printed customer credit card information must be secure at all times or destroyed properly.
Create a security policy and make sure any of your employees, contractors, etc. are fully aware of security protocol.
If your Merchant provider has not specifically directed you to a PCI Approved Company or Provider that they are working with, ask them specifically or check the PCI Approved Companies and Providers here.
Once you locate the Self Assessment Questionnaire at the Approved Company or Provider, make sure to thoroughly read the instructions and answer each question accurately.
Complete the quarterly vulnerability scan and if any vulnerabilities are found, fix those immediately and schedule another scan.
Use your merchant account provider’s recommended company or provider for the SAQ and vulnerability scan. If you do not, your merchant account provider will not accept you as PCI Compliant.