PCI Compliance, What Do Most Small eCommerce Businesses do?
Despite credit card companies stating that you must be PCI compliant, the reality is that very few small businesses actually perform any of the diligence required to be PCI compliant, let alone follow through with the actual paperwork and quarterly scans. Presently, it appears as though it is left up to the payment processor/merchant bank handling your account to ask for evidence of PCI compliance, as they are at risk if you are hacked. This process is costly and most merchant bankers won’t require a small business to prove that they are PCI compliant because they will likely lose that business if they do, to a competitor that doesn’t require evidence of PCI compliance. On one hand, PCI compliance is officially required by the credit card companies, but on the other hand, it is referred to as voluntary, this is a contradiction that contributes to the confusion surrounding this issue. Since it can be expensive and requires effort, most people don’t officially become compliant by filling out all the paperwork and merchant banks don’t usually require that small eCommerce businesses prove PCI compliance. This article first defines some basic terms you should know in order to understand eCommerce. Next it describes what people are asking about PCI compliance, what is officially required, and what most small businesses are actually doing. The ultimate decision regarding what eCommerce platform to use and whether you want to be fully PCI compliant is up to you.
Definitions Necessary to Understand PCI Compliance
A set of security standards that you are asked to comply with if your website is taking credit card, or debit card orders. The major credit card companies got together and decided on these security standards. These companies are: VISA, Mastercard, American Express, Discover and JCB. PCI compliance applies to ANY person or organization, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. For example, PCI standards would apply to a person who wants to start a small business selling something on the internet and will be taking credit card orders. There are ways to set up your eCommerce platform that will likely make you PCI compliant, by transferring most of the burden of security to another company, but you will still not be officially PCI compliant until you fill out an SAQ and possibly hire a company to do quarterly scans.
Self-assessment Questionnaire (SAQ)
The SAQ is a form that merchants (sellers) use to demonstrate that they are PCI compliant (or working toward it). Filling out this form is part of the process of becoming PCI compliant. There are a total of eight different questionnaires (A, A-EP, B, B-IP, C-VT, C, D, PEP2HW). Businesses that decide to become officially PCI compliant will need to figure out which form is the right one for them to fill out. SAQ-A is the easiest form to fill out. SAQ-A is for businesses that do not handle credit card data in any way (they transfer the data collection to a 3rd party).
Qualified Security Assessor (QSA) firms
These companies can be hired to verify that your eCommerce platform is PCI compliant and if it isn’t, they can help you to become PCI compliant. Note: Most small businesses don’t use a QSA, they are expensive and since no one is likely to ask you for official proof of PCI compliance, virtually no one bothers to do it.
Bank account types
- Merchant account: a special type of bank account for businesses that can accept money received from credit card transactions. A merchant account is harder to get than a standard business account (which is described below)
- Business account: a standard business bank account. It holds your companies funds, it is not hard to get.
- Personal account: your own personal bank account.
PCI compliance levels
Your company will fall into one of four levels based on how many credit card transactions you make per year. For example, if you make over 6 million VISA transactions in a year, you will be level 1. Level 4 merchants process fewer than 20’000 VISA credit card transactions per year. These numbers appear to be variable for each credit card company, the numbers above are for VISA only.
Parties involved in a credit card transaction
The next few definitions appear to be difficult for people to explain, this is my best interpretation of what I could find from various sources:
- Credit card company: self explanatory: Visa, Mastercard, etc.
- Payment processor: A payment processor is a company that uses software to directly access the credit card information of individual people from the major credit card companies. When a credit card transaction is made, the payment processor transfers the money from a person’s credit card account to the payment gateway (see below).
- Payment Gateway: When a customer submits a credit card order from your website, the payment gateway takes money from the customer’s credit card by contacting the payment processor (see above) and then transfers the money to your merchant bank account (see below). Note: usually the company that serves as the payment gateway also serves as the payment processor and provides the merchant account, so these three terms are often used interchangeably.
- Merchant bank account: If you set up a business, you may wish to get a special bank account called a merchant account. Any money you receive from credit card orders goes into this account. You can then transfer the money from your merchant account to your personal account, or a business account. It’s a little tougher to get a merchant account, than a regular account €“ you have to apply. Some businesses don’t want to go through this application process, or their business doesn’t qualify due to things like poor credit history. It seems like most small business, even those just starting out should be able to get a merchant account if they want (see: merchantaccounts.ca). There is an alternative to getting a merchant account, that is: a third party payment processor (see below). More on merchant banks