PCI Compliance – A Store Owners Perspective

A lot of people ask me about what PCI Compliance is and why they need a PhD to decrypt the wording or try to understand it. PCI stands for “Payment Card Industry” and was founded by the major credit card companies to bring the whole e-commerce industry to a certain security standard. I feel what people need to know is easiest to understand if we look at it from a store owners perspective. Lets start with a brief overview of how someone starts a web store right through to the point of operating successfully.

You chose the store script that you want to use and for this example we will use Zen Cart. You purchased a Domain, SSL Certificate and quality Hosting. Let me touch on the last thing “Hosting” and you may be asking what is quality hosting? What I consider quality hosting is a company that has the following attributes:

1) A toll free number with 24/7 tech support

2) The hosting company however big or small owns their own servers. Do not do e-commerce business with companies that rent servers from the data center or run virtual servers.

3) Talk to the company representative and ask the technical questions and make sure you are comfortable with dealing with them. Make sure they know their stuff.

4) Make sure the hosting company can provide a certificate of PCI Compliance. This proves they are in the e-commerce game and they have their servers scanned and their security practices are superior.

5) Does the hosting company support the software application you are using. In this case Zen Cart?

6) How many accounts are run on each server? What you want on a shared server is as little as possible. Remember cheap hosts will jam pack severs (thousands of accounts) to fulfill their financial requirement and more expensive hosts will limit the number of accounts per machine to 100-200. Ask the host what they run for a server environment. If they are not running quality servers, they are not worth the money. Quality servers can run upwards of $10,000. Ask your questions. A good example is GeekHost.ca

Now that we have the “how to choose a host” out of the way we will assume you have your Zen Cart site up and running with your domain and SSL. So what is next? You need to take payment from your customers so you will need to give a few options. Not every customer is going to have a credit card so give them the option of paying by Paypal. This will increase business you would never have had before. Now it is time to choose a company to provide you with credit card processing.

There are two types of processing out there and they are the “Aim” method where the customer never leaves your online store to process the transaction. The credit card information is sent encrypted to the “gateway” or “processor” and an approved or denied response is sent back while your customer waits and the order is processed accordingly. This is the best way.

The second method is called the “Sim” method. When the customer clicks to pay for the products, they are transferred to the payment processor to complete the transaction on their website. Once the transaction is approved, they are transferred back to your store where the order is completed. In my experience, I have seen more customers abandon their orders this way.

It is very important to note that in both of these cases, the customer’s credit card details are not stored by you using Zen Cart. The only details that are stored are the shipping details and the transaction number.

Make sure you choose a processor that has a payment module to use with Zen Cart. There are many of them to choose from. Call a few and ask the rates. Normally a professional “Gateway & Merchant account” will charge you a one time setup fee of about $100. There is also a monthly fee that will run you $15-$20 per month. Lastly and based on your personal credit and the amount of transactions you do there is a percentage fee usually anywhere between 1.9-3.2%.

If you do not qualify for any of these you may be able to get Paypal’s Web Payments Pro Service. They are a bit pricier but they do accept new businesses and owners with a few dents on their credit history.

Now that you have found the “Processor / Gateway” they are going to litter you with a bunch of PCI paperwork to do. This is that fun part and what this whole article is about.

PCI Compliance is the standard in which you manipulate credit card data and user information from the time your customer enters their card number on your website, tells you the number over the phone, manually input it into a POS terminal or swipe a card on a terminal. It does not stop there, it illuminates the manner in which you conduct business, the people you hire and the way you dispose of your trash.

The question I hear the most is who needs to be PCI Compliant?

The answer is (most don’t like to hear it) every business that accepts a credit card no matter the dollar amount and no matter how few transactions they process.

Since this is based on running an online store with Zen Cart, I will bypass everything but the requirements for an online web store owner.

It is a PCI requirement that you must have the server and your website scanned at least quarterly. You must retain the services of an ASV (Approved Scanning Vendor). Scanning companies or ASV’s (Approved Scanning Vendors) will scan your server and website once a week and send you a vulnerability report based on it’s findings. I favor Controlscan because of their prices and customer service. They are a lot cheaper than the more popular “Hackersafe” etc. After you have passed the scan it is time to fill out what is called the SAQ forms. The SAQ or “Self Assessment Questionaire” is a written declaration that you are following the security guidelines set forth by the PCI Security Council and Credit Card companies.

Fill this out truthfully as this is the document that the credit card companies retain from your merchant services to conduct an investigation in the case of a breach. If you blindly check ok to all requirements, you may be opening yourself up to liability. Be sure to check “yes” to things that you are positive about, contact your host for the rest of the answers regarding their services and environment. If something doesn’t fit with your company or doesn’t apply to you, then state that. That is the reason why there is a “N/A” check box.

Ok so what forms do you fill out? To Identify yourself as a particular merchant consult the following:

Merchant Level Criteria Onsite Security Assessment Self-Assessment Questionnaire Network Vulnerability Scan
1 At least 6 million transactions annually from any acceptance channel Required Annually N/A Required Quarterly
2 1 million to 6 million transactions annually from any acceptance channel At Merchant Discretion* Required Annually* Required Quarterly
3 20k to 1 million ecommerce transactions annually N/A Required Annually Required Quarterly
4 Less than 20k ecommerce annually or less than 1 million transactions from any acceptance channel annually N/A Required Annually Required Quarterly

All store owners starting a new business are a Level 4 Merchant. As you can see above it is based upon how many cards you process per year. Now it is time to determine what SAQ or “Self Assessment Questionaire” you should be filling out and below I have another table categorizing the SAQ Level A-D.

SAQ Validation Type Description SAQ
1 Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced.  This would never apply to face-to-face merchants. A
2 Imprint-only merchants with no cardholder data storage B
3 Stand-alone dial-up terminal merchants, no cardholder data storage B
4 Merchant with payment application systems connected to the internet, no cardholder data storage. C
5 All other merchants (not included in descriptions for SAQs A – C above) and all service providers defined by payment brand as eligible to complete an SAQ. D

SAQ “A” is reserved for merchants who outsource the billing to a company. For example Paypal IPN (Paypal Standard) or Paypal Express or any processing company that uses the “SIM” method as I explained above. You as a store owner do not handle the credit card numbers at all and all billing is done separate from your website.

SAQ “B” is for the store owner that still uses the manual credit card imprint machine that are still used as backup to the electronic POS terminals. This also applies to POS terminals that are connected via  secure “Dial-up”. This connects directly to the gateway services or credit card company (note this does not mean dial-up internet.)

SAQ “C” will apply to all merchants that process on their website using the “Aim” method and do not get credit card numbers over the phone.

SAQ “D” is reserved for merchants that do a combination of  the above such as processing on their website and accepting credit cards on the phone, which they process via a POS terminal or via Virtual Terminal. A virtual terminal means that you open a browser window on you computer and connect securely with the gateway company on the internet and type in the credit card numbers on their website.

Now that you understand what merchant you are and what SAQ you fill out (in our example case 4-C) we can safely fill out the forms. Once the forms are submitted back to the scanning company, they will produce what is called a Certificate of PCI Compliance. This is the document that you will submit to your merchant services, gateway or bank.

What happens if you get a scan that does not pass? You will need to do one of two things. If it is server related, contact your host, they may be rectifying the issue or it may be a false positive. If it has something to do with your store software, you may need to update or it may be a false positive. In any case stay on top of it.

Congratulations you have completed the PCI process, all you now need to do is maintain it.