PCI Compliance For Ecommerce

Author: Jennifer | Date: October 28, 2020 | Categories: , ,

What is PCI compliance?

PCI compliance is essential for anyone taking credit card payments online, or credit card payments where the card is not present. PCI stands for “payment card industry”. The standards laid out by the credit card industry are designed to ensure the safe handling, transmission, and storage of sensitive payment data. The first draft was introduced in 2004 by the Payment Card Industry Security Standards Council, and the standards have been evolving to better protect consumers ever since.

How to become PCI compliant

Being PCI compliant is not law! (At least, it’s not law as of October 2020.) Remember, the Payment Card Industry Security Standards Council maintains the list of standards. The federal government is not involved. So, why might you want to be PCI complaint when accepting payments online? Because, violating these standards can lead to the inability to accept credit card payments.

If your organization processes, stores, or transmits payment card data, then you should strive to achieve PCI compliance.

free cyber security poster - are you in compliance?

First, it helps to decide what type of merchant you are.

Type A applies to e-commerce or mail order businesses where the card is not present for the transaction. These companies will have outsourced all cardholder data processing functions and have no electronic storage, processing, or transmitting of cardholder data. All elements of the payment process must originate from the payment processor. This can be via a link on the site to the payment processor or through an iFrame on your website.

What is your merchant type?

Type A-EP applies to e-commerce merchants who only partially outsource all payment processing to PCI DSS compliant service providers. A-EP merchants typically have a website that redirects users to a payment processor at point of payment. The website could use direct post or JavaScript forms, or simply collect the payment data and send it to the payment processor. While these merchants are not storing, processing, or transmitting card data, their website could impact the security of the payment process.

It may be difficult to tell if you are Type A or Type A-EP. The manner in which the consumer is redirected to the payment processor and where the payment page components are provisioned from dictates your type.

No matter what your merchant type, you are still required to follow all of the PCI DSS standards.

Sometimes data must be stored. Here are some tips on safe data storage:

  • Do not store credit card data unless absolutely necessary.
  • Do not locate servers or other payment card system storage devices outside of a locked, fully secured and access-controlled room.
  • Do not store any payment card data on PCs, laptops or smart phones.
  • Do not permit any unauthorized people to access stored cardholder data.
  • Ensure that third parties who process your customers’ payment cards comply with PCI DSS, PED and/or PA-DSS as applicable.
  • Have clear access and password protection policies.

Milestones for Prioritizing PCI DSS Compliance Efforts

For a very comprehensive look at PCI DSS compliance, visit the Payment Card Industry Security Standards Council’s website. There are twelve PCI DSS requirements. However, there is a 6-milestone action list for a prioritized approach to PCI compliance. See the PCI SSC website for a very detailed explanation for each of these milestones. We are only providing a brief overview here.

  1. Remove sensitive authentication data and limit data retention.
  2. Protect systems and networks, and be prepared to respond to a system breach.
  3. Secure payment card applications.
  4. Monitor and control access to your systems.
  5. Protect stored cardholder data.
  6. Finalize remaining compliance efforts, and ensure all controls are in place.

What happens if you’re not PCI compliant?

Since the federal government isn’t the one who issues punishments, who does? The merchant’s acquiring bank issues fines for those not PCI compliant. Why? Because they are one the hook for your delinquencies.

An acquiring bank (also known simply as an acquirer) is a bank or financial institution that processes credit or debit card payments on behalf of a merchant


This means that if you take credit card payments, you are on the hook for PCI compliance. This is true for large retailers and small, online shops alike.

PCI compliance requirements for ecommerce

PCI compliance is the job of everyone, not just IT. Everyone who comes into contact with a customer’s credit card data must be trained in PCI compliance. Even if you outsource compliance, your organization cannot pass the buck completely to the consulting firm.

PCI compliance checklist

There are several PCI compliance self-questionnaires, or PCI SAQs, online. They are designed to help merchants to assess their safety standards when it comes to accepting credit card payments when the card is not present. To find a PCI SAQ appropriate for your organization, contact your financial institution.

There are 8 PCI SAQ validation types. SAQ Validation Type A (SAQ A) and SAQ Validation Type A-EP (SAQ A-EP) probably cover most online businesses without brick-and-mortar locations.

It is wise to take the questionnaire every year and keep the results on file.  Failure to have a properly completed questionnaire could result in a loss of insurance and/or increased liability, even if you’re outsourcing most of the liability to a third-party.

If you still have questions about PCI compliance, or are in need of a website or website SEO marketing, please contact us!

Contact Us to Get Started

"Your passport to all things web."

1 Abbey Lane
Camp Hill, PA 17011
Phone: (717) 516-6955

CourseVector Terms & Conditions
Design and hosting by CourseVector. All rights reserved. Copyright 2021.
Sitemap | Locations

To contact us after hours please use the panic button.
Fees may be incurred depending on reason for support.