PCI Compliance and PCI DSS: A Brief Primer That May Save Your Business

If you don’t have an extremely solid understanding of what PCI Compliance is, and you take credit cards in any way, then I beg you to read this article in its entirety. It’ll be the best 5 minutes of your week. Now that I’ve set the expectations high, let’s get on with it…

What the serious heck is PCI Compliance and PCI DSS?

PCI compliance is a phrase fairly unknown to most people, but a phrase that can send chills down the back of those familiar with e-commerce. Why? Because it can be super-scary, and I’m here to make you feel a bit better about it.

PCI Compliance, or Payment Card Industry Compliance is born out of something called PCI DSS (Data Security Standards). There’s a lengthy history of PCI DSS, but I’ve summed it up for our wonderful readers with a very simple dialogue, as follows:

Internet: “It’s 2006, and OMG, so many people are using credit cards to make online purchases with me!”

Bad people in the world: “Wow, it’s 2006 and so many people are using their credit cards online. I can totally steal the credit card information super easily and make fraudulent purchases at places you’d never shop.”

Smart techy people: “We need to form a governing body, and set some rules set in place to stop the bad people from doing bad things to people with poor taste in where they shop. Ok, let’s start PCI DSS, and it’ll be a list of things that companies must do to protect consumers from said bad people.”

And then, my friends: PCI DSS was born.

Should you care about PCI Compliance and PCC DSS?

Yes. If you’re a business owner taking payment, then this article is meant for you. If you’re a consumer, then you should also know if a company is PCI Compliant.

Why business owners should really, really care?

If your transactions are hitting your server in any way, you’re liable. If there’s a breach, you can be fined from $5,000 to $500,000 per month.

What Can You Do about PCI Compliance and PCC DSS?

There are a few options. If you’re looking to read through hundreds of pages PCI DSS guidelines, then have at it. However, since the interwebs are filled with such glorious e-commerce platforms, they can take the heavy lifting and let you do what you’re good at: selling goods and services. Many e-commerce platforms have likely invested millions to make their platforms as secure as possible.

Let’s go over some basic terminology to ensure we’re cruising down the same boat.

E-commerce package: This is what sells your products. This may or may not be part of your main website.

Merchant’s web server: Where your e-commerce is hosted. If using a package such as Shopify or the likes, this is most likely also your web server.

Payment Gateway: This is what connects the e-commerce package to the banks. Think of the payment gateway as the super gossipy kid in class that’s passing notes back and forth to everyone. 

Settlement Bank: This is where your funds get settled (aka your bank).

So someone buys a Grumpy Cat t-shirt off your site (E-commerce package), it goes through the payment gateway, your payment gateway chats with the e-commerce platform (which may or may not be part of your site) and eventually – into your bank account. Within that process, it could also hit the merchant web server. In that case, you’d be totally open for PCI DSS scrutiny. 

We good? Cool. Let’s go on…

So instead of using an e-commerce platform *and* a payment gateway that hits your own servers, you can use a fully hosted solution (which lives on their servers – their liability). Anytime you’re evaluating anything that accepts payments, be sure you ask about this aspect in writing.

“Are you 100% fully PCI Compliant?”

Surprisingly, many vendors will start to dance and avoid the question. If they do this – run, don’t walk – run away. We’ve had conversations with extremely well-known form services that “leave it up to the customer to handle PCI compliance.”

Some e-commerce platforms are fully compliant, and take pride (as they should) in it. For example, Shopify boasts full compliancy, however it’s also important to ensure any payment gateways they work with also claim the same. This is imperative. On the other hand, BigCommerce seems to be a bit more vague with their statement: “BigCommerce takes care of the vast majority of the steps toward PCI compliance for any customer on our platform.” (via https://www.bigcommerce.com/blog/pci-compliance/). *As a disclaimer – we don’t get any kickbacks or anything from Shopify: we just really like them.

If you take a look at the two links above, you’ll see a really noticeable difference: Shopify is quite straightforward about it. “Yes, Shopify is certified Level 1 PCI DSS compliant. This compliance extends to all online stores powered by Shopify,” says their site. This, compared to BigCommerce, is very different. BigCommerce’s explanation seems to go on and on, and dancing around the fact a bit.

These are the red flags to look for. BigCommerce may be PCI DSS compliant, but it’s a bit difficult to tell.

In general, when the payment is hosted elsewhere (say PayPal), it’s safer to know they’re compliant. However, with PayPal’s “on page” payment solution (e.g. Payflow), where the transaction is made on your site (e.g. www.myshop.com/payment) vs. (www.paypal.com), PCI compliance once again becomes a major issue.

The same red flags go for anything that receives payment; online forms, event registrations, you name it. These are questions you should be asking yourself, your IT team, your app vendors (e.g. Shopify, Wufoo, etc).

The best takeaways I hope you receive from this article are:

– Ensure you know what PCI Compliance/ PCI DSS is.
– Understand the right questions to ask.
– Understand the red flags.
– If red flag – then run!

If you have any questions on e-commerce, we have a lovely team that’s happy to help. Just give us a shout here.