Does a small eCommerce business need to do anything to become PCI compliant?  If so, what?

Conclusions 

I’ve started with conclusions to save you reading this wall of text, in case you’re not interested in the finer details:

  • PCI compliance is a set of rules created by credit card companies that apply to every business that takes credit or debit card orders online.
  • To be clear: any business that takes credit or debit card orders is “supposed” to be PCI compliant, period.
  • There are virtually no small businesses that are officially PCI compliant
  • Obtaining official PCI compliance is costly, even if you qualify for the simplest form: SAQ-A. My ballpark estimate (from the little research I’ve done) is it will cost you around $4000 annually to hire a QAS firm, if you qualify for SAQ-A.  This cost may drop somewhat if your eCommerce setup is very simple, but that gives you an idea.  If you’re situation is more complicated and you have to use a form other than SAQ-A, it may cost you $100’000 or more to do the scans and make the technical changes necessary to become PCI compliant and to prove it.
  • Very few small businesses have filled out an SAQ and had the security scans and sent this data to their merchant bankers, therefore very few are officially PCI compliant.
  • Currently, very few merchant banks are requesting proof of PCI compliance from small eCommerce business owners.
  • Currently, there appears to be a huge range in security practices among the many small to medium sized eCommerce companies. Some companies use 3rd party payment processing options and are probably very secure (but not officially PCI compliant), while others accept credit card data directly on their servers, have poor security practices and are vulnerable to hackers that could intercept this data.
  • While the penalties for businesses that get hacked and are not PCI compliant can be severe, it appears that very few businesses that get hacked are actually prosecuted to the extent that they could be (if at all). This is a guess based on limited and anecdotal evidence.
  • The safest solution for small businesses is to use a 3rd party service to handle all credit card data, so that customer credit card data never touches your servers. Options include but are not limited to: Shopify (or equivalent) some versions of PayPal (or equivalent), Mijireh (in combination with some payment processors) and merchantaccounts.ca (or equivalent).  You will still not be PCI compliant until you get a security scan and fill out form SAQ-A, but since those are prohibitively expensive, the options above are about the best you can do.

Background on PCI Compliance

The question: What does a small eCommerce business need to do to become PCI compliant?

This question has been asked many times on the internet and after a lot of searching, I did not find clear answers anywhere.  However, after looking at all of the evidence collectively, I have come to some conclusions.  This is not a list the official guidelines, you can find those anywhere, this is my take on what small eCommerce businesses are actually doing with respect to PCI compliance.  I do not claim to be an expert in this area, in fact just the contrary.  The short answer to the question is: everyone taking credit card orders is required to be PCI compliant, period.  Even if your eCommerce platform redirects customers to a third party (like PayPal) to deal with customer credit card data, and even if all sensitive data is handled by the third party server, and even if your servers never touch customer credit card data, you still are supposed to be PCI compliant.  Many people have commented that the setup described above frees you from PCI compliance obligation, it does not.  It simply makes it more likely that you would be PCI compliant, if you attempted to become certified.  If you want to become PCI compliant, the scenario described above is exactly what the self assessment form SAQ-A is designed for.  Filling out an SAQ form is part of the process of becoming PCI compliant, more details in the sections below.

This page about SAQ-A was found on MWR Infosecurity’s website.  It talks about what I’ve described above; that eCommerce merchants who outsource handling of all customer cardholder data to 3rd parties are still not PCI compliant until they fill out form SAQ-A.

PCI Compliance, What Do Most Small eCommerce Businesses do?

Despite credit card companies stating that you must be PCI compliant, the reality is that very few small businesses actually perform any of the diligence required to be PCI compliant, let alone follow through with the actual paperwork and quarterly scans.  Presently, it appears as though it is left up to the payment processor/merchant bank handling your account to ask for evidence of PCI compliance, as they are at risk if you are hacked.  This process is costly and most merchant bankers won’t require a small business to prove that they are PCI compliant because they will likely lose that business if they do, to a competitor that doesn’t require evidence of PCI compliance.  On one hand, PCI compliance is officially required by the credit card companies, but on the other hand, it is referred to as voluntary, this is a contradiction that contributes to the confusion surrounding this issue.  Since it can be expensive and requires effort, most people don’t officially become compliant by filling out all the paperwork and merchant banks don’t usually require that small eCommerce businesses prove PCI compliance.  This article first defines some basic terms you should know in order to understand eCommerce.  Next it describes what people are asking about PCI compliance, what is officially required, and what most small businesses are actually doing.  The ultimate decision regarding what eCommerce platform to use and whether you want to be fully PCI compliant is up to you.

Definitions Necessary to Understand PCI Compliance

PCI compliance

A set of security standards that you are asked to comply with if your website is taking credit card, or debit card orders.  The major credit card companies got together and decided on these security standards.  These companies are: VISA, Mastercard, American Express, Discover and JCB.  PCI compliance applies to ANY person or organization, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data.  For example, PCI standards would apply to a person who wants to start a small business selling something on the internet and will be taking credit card orders.  There are ways to set up your eCommerce platform that will likely make you PCI compliant, by transferring most of the burden of security to another company, but you will still not be officially PCI compliant until you fill out an SAQ and possibly hire a company to do quarterly scans.

Self-assessment Questionnaire (SAQ)

The SAQ is a form that merchants (sellers) use to demonstrate that they are PCI compliant (or working toward it). Filling out this form is part of the process of becoming PCI compliant.  There are a total of eight different questionnaires (A, A-EP, B, B-IP, C-VT, C, D, PEP2HW).  Businesses that decide to become officially PCI compliant will need to figure out which form is the right one for them to fill out.  SAQ-A is the easiest form to fill out.  SAQ-A is for businesses that do not handle credit card data in any way (they transfer the data collection to a 3rd party).

Qualified Security Assessor (QSA) firms

These companies can be hired to verify that your eCommerce platform is PCI compliant and if it isn’t, they can help you to become PCI compliant. Note: Most small businesses don’t use a QSA, they are expensive and since no one is likely to ask you for official proof of PCI compliance, virtually no one bothers to do it.

Bank account types

  • Merchant account: a special type of bank account for businesses that can accept money received from credit card transactions. A merchant account is harder to get than a standard business account (which is described below)
  • Business account: a standard business bank account. It holds your companies funds, it is not hard to get.
  • Personal account: your own personal bank account.

PCI compliance levels

Your company will fall into one of four levels based on how many credit card transactions you make per year. For example, if you make over 6 million VISA transactions in a year, you will be level 1.  Level 4 merchants process fewer than 20’000 VISA credit card transactions per year.  These numbers appear to be variable for each credit card company, the numbers above are for VISA only.

Parties involved in a credit card transaction

The next few definitions appear to be difficult for people to explain, this is my best interpretation of what I could find from various sources:

  • Credit card company: self explanatory: Visa, Mastercard, etc.
  • Payment processor: A payment processor is a company that uses software to directly access the credit card information of individual people from the major credit card companies. When a credit card transaction is made, the payment processor transfers the money from a person’s credit card account to the payment gateway (see below).
  • Payment Gateway: When a customer submits a credit card order from your website, the payment gateway takes money from the customer’s credit card by contacting the payment processor (see above) and then transfers the money to your merchant bank account (see below). Note: usually the company that serves as the payment gateway also serves as the payment processor and provides the merchant account, so these three terms are often used interchangeably.
  • Merchant bank account: If you set up a business, you may wish to get a special bank account called a merchant account. Any money you receive from credit card orders goes into this account.  You can then transfer the money from your merchant account to your personal account, or a business account.  It’s a little tougher to get a merchant account, than a regular account €“ you have to apply.  Some businesses don’t want to go through this application process, or their business doesn’t qualify due to things like poor credit history.  It seems like most small business, even those just starting out should be able to get a merchant account if they want (see: merchantaccounts.ca).  There is an alternative to getting a merchant account, that is: a third party payment processor (see below).  More on merchant banks
Note: if a customer disagrees with something billed to their credit card, they can raise a dispute with their card issuing bank, up to 4 months following the date of the transaction.  These disputes are called “chargebacks”.  Note, a chargeback is not the same as a refund – a refund is perfectly acceptable as both parties are agreeing to the refund.  A chargeback involves the credit card company insisting that a business refund money to a customer who has complained.  If a customer requests a chargeback on a product or service and the company that sold it doesn’t have the money to pay for the chargeback, then the payment processor is liable.  Therefore, the payment processors carry some risk.  This risk is dependent on things like: your businesses reputation, how much your products cost and how many you sell.  Because the payment processor bears risk, they will require the seller complete an application before the offer a merchant account.  The following page from merchantaccounts.ca states that they are likely to approve most applications within 5 days: likelihood of approval from the merchant banker; merchantaccounts.ca
  • Third party payment processor: A company that performs all of the above services for you: they serve as a payment processor, a payment gateway and they provide a merchant account, so you don’t have to get one from a bank (you just need a personal bank account).  An example of this type of company is PayPal.  Using PayPal lets you accept online payments without a merchant account of your own.  Instead, they let you use their merchant account under their own terms of service, usually with very little setup required.  For this service, they charge you a fee.  The following is a list of all the supported third party payment processors that you may use if you sell on Shopify.

PCI compliance – Questions and answers

Question: What is involved in becoming PCI compliant?

Answer: The main purpose of PCI compliance regulations is to make sure that credit card information does not get into the wrong hands.  Therefore, any entity that handles customer credit card information (including payment gateways, payment processors and your own eCommerce company) must comply with very stringent rules that protect the security of this information.  These rules include such things as: getting a dedicated IP address, an SSL certificate, inspections every 90 days from a Qualified Security Assessor (QSA) firm and compliance with technical matters, such as: 2 Factor Authentication, use of a Virtual Private Network (VPN) and DDoS Protection among many other things.  Here are some of the other technical things that are required for PCI compliance, as described by Mijireh.  Companies seeking PCI compliance must pay for inspections, then submit compliance documentation to their merchant bank (but note that merchant banks don’t usually request this documentation from small businesses).  Do those sound like things you want to deal with?  Not likely!  They are far too expensive and technically difficult for most small businesses to deal with.  There is no need to discuss the specifics of these rules because most companies will simply not have the resources to comply with them.  Therefore, if you wish to use eCommerce on your website and if you want to keep your customer’s credit card data out of the wrong hands and be as close to PCI compliant as you can, you can forget about using any option that involves your website coming into contact with customer credit card information.  You will have to pay another company to handle that for you, this transfers much of the burden of PCI compliance to them.  There is more information on the options that are available in a section below.

Question: I’m going to run a small eCommerce business from home using my laptop. Am I at risk from hackers?

Answer: Yes. You are among the most vulnerable.  Reasons for your vulnerability include: your computer may contain viruses, your computer may be left on most of the time and you may have installed applications that compromise your website’s security, including: games, file sharing and chat.

Question: What are the risks and legal repercussions, fines and other issues that can occur if your eCommerce website is not PCI compliant?

The credit card companies and or payment processors may at their discretion, do the following:

  1. You may be fined by your merchant bank, up to $100’000 per month for compliance violations.
  2. You may lose your merchant account and therefore cannot accept credit card payments
  3. You may be blacklisted and become unable to obtain another merchant account. This may last for years and it can be difficult to circumvent by simply transferring business ownership to a family member or business partner.
  4. You may be required to report data breaches to your customers and all affected parties
  5. You may suffer brand damage

***More details on fines and other legal issues related to PCI compliance can be found here

Question: Are most other small eCommerce companies PCI compliant, what are they doing?

Answer: Every company using eCommerce (that takes credit card orders) should be PCI compliant according to the credit card companies, but many are not.  In order to be officially PCI compliant, you’ll need to fill out an SAQ and you’ll also need to get quarterly security scans.  Very few eCommerce companies actually do this because it is expensive and very few acquiring banks (ie. merchant banks) will ask you for documentation proving that you are PCI compliant.

Question: Sounds like it’s impractical for a small business to be PCI compliant.  What should I do?

Answer: Create an eCommerce site that is as safe and as close to PCI compliant as it can be.  There are many ways to set up an eCommerce website and the things you’ll have to do to be protect credit card information depend on what method you use.  For example, if you start an eCommerce website using Shopify, there’s nothing for you to do because Shopify provides the entire platform and it’s PCI compliant.  Shopify is not going to ask you to prove that you are PCI compliant because you’re using their servers and their eCommerce platform.  Alternatively, if you build a WordPress website that takes credit card orders and if you set up your platform to accept customer credit card data using your own servers (rather than outsourcing it), then you will have a lot to worry about with regard to keeping credit card data out of the wrong hands.  In this case, choosing a web hosting company that is PCI compliant is the least of your worries.  You’ll have to do a ton of technical things to ensure that your website is PCI compliant.  Note, when I say: you have to, I mean you have to in order to be PCI compliant.  But only in rare cases will anyone insist that you actually be PCI compliant.  You can make a website that is a hacker’s dream and it  is not likely that anyone will stop you from operating it.  Technically, you can be fined and blacklisted if you are hacked, however, if is difficult to know how frequently this occurs.  In summary, there’s lots you are supposed to do to be PCI compliant, but the reality is, very few businesses are actually anything about it and there does not appear to be interest from anyone to change this.

If you are starting a small business and you are not technically knowledgeable about eCommerce security, you will likely want to go with one of the following options (see below) so that your servers never touch customer credit card data.  You won’t officially be PCI compliant until you fill out the SAQ (and possibly get quarterly security scans) and send this to your merchant bank for approval, but these are expensive steps that virtually no small businesses can ever do.  The options below are the most secure eCommerce setups that I’m aware of, so it’s about the best you can do short of hiring a Qualified Security Assessor (QSA) and filling out the SAQ form described above.  If you choose one of the options below, you’ll be doing more toward maintaining a secure website than a lot of other eCommerce businesses.  Note, with the WordPress options below, you should be using a security certificate (https, not http), have a secure password, perform regular WordPress, theme and plugin updates and use other good practices.

eCommerce Options that are Most Likely to be PCI compliant

1. Sell your product using Shopify or one of the Other eCommerce Platforms

There are several alternatives to Shopify, such as: BigCommerce and Volusion.  Why is this a PCI compliant solution?  Because when you use Shopify, BigCommerce and Volusion, your website is hosted on their servers.  They look after security and PCI compliance for you.  This is a very safe option for protecting your customer’s credit card data.

2.  Create a website using WordPress (or any of the other platforms), then add the WooCommerce plugin (or equivalent).

Then, when you set up WooCommerce, use one of the third party payment processors, such as PayPal, that redirects customers to the PayPal (or equivalent) page.  Customer orders are processed entirely on the PayPal web servers.  Why is this a PCI compliant solution?  Because during checkout, customers are sent to a website run by PayPal before they enter any credit card information, so your servers never touch credit card information.  Note: While this logic seems straight forward, a few questions do remain for me, these include:

  • Is there any way to intercept any of the communication between your website and PayPal’s website (or equivalent company) and does any of this information contain customer data, perhaps even just their name?  Is this a potential problem for PCI compliance?  For example merchant-accounts.ca has an option called EasyCheckOut in which basic contact and order details are taken from customers while still on your server, but not their credit card number.
  • There are many different 3rd party payment processors (PayPal alone seems to have multiple options), does it matter which of these you choose?

3. Use Mijireh

Create a website, add WooCommerce and add a third party payment processor (as you did in the previous option). Then add Mijireh.  When customers go to checkout, they are sent to Mijireh’s servers, which host a version of your checkout page that looks exactly like your own checkout page.  Mijireh copies your own code to their servers.  Why is this a PCI compliant solution?  Customers are transferred to Mijireh servers before they enter any credit card information, so like the previous examples, your servers don’t touch any sensitive data.  The advantage is that customers won’t really notice that they’ve been redirected to another website because Mijireh uses your website’s own html code.  This can be very useful because checkout pages that look different from your website can be confusing to customers and can lead to dropped shopping carts.

4. Use a company that provides a merchant account and hosts your eCommerce pages

Create a website, get a merchant account with merchant-accounts.ca (this is for Canadians), they will provide the merchant account and the payment gateway. You will need to choose a shopping cart system, from one of the many options.  If you want to be PCI compliant, you’ll want a hosted shopping cart such as: Shopify, BigCommerce and Canada Cart.  There are many other options for shopping carts, including their own proprietary shopping cart system called: EasyCheckOut which is free and useful if you only have a small number of products.  Why is this a PCI compliant solution?  Because, like the previous options, customers are redirected to third party servers before entering sensitive data and your servers never touch credit card information.

5. Create your website using WordPress.com and an eCommerce product like WooCommerce, as described above.

WordPress.com has an increased level of security, since they limit what you can do to the core WordPress files.  There may be a small advantage to using WordPress.com as opposed to WordPress.org.

Assorted Information on PCI Compliance

See what web developers and business owners are saying about PCI compliance on this Reddit post: