PCI Basics: What Every Business Owner Needs to Know

By BlueSky Commerce
Outsourcing Header

BlueSky Commerce Blog


Related Posts

Have Questions?

Get In Touch

About the Author

BlueSky Commerce

BlueSky Commerce

Blending strategy, technology, marketing, and talent expertise to create solutions that fuel your business.
View BlueSky's Latest Articles:

Follow Us

PCI Basics: What Every Business Owner Needs to Know

Topics: Award / eCommerce / PCI

Most business owners recognize the need for a digital presence.

As consumers are becoming accustomed to increased accessibility to products and services, more and more companies are doing business online, allowing them to compete in the digital market. Every online transaction involves credit cards or cardholder information of some kind. Customers want to know that their credit card and personal information is safe, and protecting that data is precisely where PCI comes into play.

Essentially, the increased protections create trust in the card brand and are, in large part, what drives the brand. If fraud and misuse of customer data occur, consumer trust in the credit card brand diminishes. As a result, major card brands want to know that businesses are making every effort to protect customer data and solidify consumer trust in their brand.

What is PCI (Payment Card Industry)?

If you are involved in the eCommerce world at all, you have probably seen the term PCI. If you deal in credit card transactions, you have likely seen the entire phrase PCI DSS. This acronym stands for Payment Card Industry Data Security Standards.

PCI DDS are the rules that govern how companies manage cardholder information to ensure that consumers are protected from fraudulent practices. Originally released in 2004, these rules are set by the PCI SSC or the Payment Card Industry Security Standards Council.
PCI standards are largely driven by the major card brands (Visa, MC, AMEX, Discover, JCB). To instill a sense of security in consumers, these card brands offer a high level of protection. They make promises to cardholders regarding how consumer information will be used and managed.
Major credit card companies

Why PCI is important for your business

Now, on to the critical questions. What do PCI standards mean for your business? How do they impact your business practices? PCI standards are in place to ensure that merchants meet minimum levels of security when they store, process, and transmit cardholder data. As a merchant, this means that you must provide a certain level of protection if you accept any of the major card brands as a point of sale.

The PCI SSC defines a merchant as “any entity that accepts payment cards bearing the logos of any of the five PCI SSC members (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services.”

If you qualify as a merchant, you have a few options to manage your eCommerce ventures. You can:

  1. Develop your own payment processing application
  2. Use third-party services specifically designed for processing payment information

How you choose to process payment information will determine how deeply your business will be involved with PCI compliance. The PCI DSS standards apply to all system components included in or connected to the Cardholder Data Environment. The Cardholder Data Environment (CDE) comprises people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data. Also, PCI requirements encompass any system, process, or technology involved in or influences the CDE.

This is a broad definition. On a significant level, this involves any part of your business related to credit card payments in any way. For example, one major company is currently looking at recording phone calls that contain any mention of cardholder information to meet PCI compliance standards.

Ultimately, if you accept credit card payments, you will be involved with PCI compliance on some level.

How your business can meet PCI compliance standards

An entire industry has risen around PCI compliance. This involves multiple sets of forms, methods, and processes. The PCI SSC has developed a system to safeguard consumer information and make sure businesses are doing what they can to protect cardholders. The PCI SSC awards a designation to qualifying businesses and is an essential achievement for companies operating in the eCommerce sphere.

The number of card transactions your business conducts will determine what you have to do to achieve compliance. Enterprises fall into four levels:

Pci basics: what every business owner needs to know

Merchant Level 1

Key Criteria: Conducts 6+ million transactions per year or has had a breach of customer data that compromised cardholder information

Requirements for PCI Compliance: Annual Review on Compliance, Attestation of Compliance, and network scan

Pci basics: what every business owner needs to know

Merchant Level 2

Key Criteria: Conducts 1-6 million transactions per year

Requirements for PCI Compliance: Annual Self-Assessment Questionnaire, Attestation of Compliance, network scan

Pci basics: what every business owner needs to know

Merchant Level 3

Key Criteria: Conducts 20,000-1 million transactions per year

Requirements for PCI Compliance: Annual Self-Assessment Questionnaire, Attestation of Compliance, network scan

Pci basics: what every business owner needs to know

Merchant Level 4

Key Criteria: Conducts less than 20,000 transactions per year

Requirements for PCI Compliance: Annual Self-Assessment Questionnaire, Attestation of Compliance, network scan

What does all this mean? Your business needs to make all the efforts it can to protect customer data. More importantly, you must show that you have completed these efforts by performing the necessary assessments and submitting the appropriate documents. Here are some terms you need to know:

Annual Review on Compliance (ROC): This is for larger companies who process more than 6 million card transactions per year or for any company that has experienced compromising of consumer data

Attestation of Compliance (AOC): This form is a signed document stating that you have completed all procedures to meet compliance.

Self-Assessment Questionnaire (SAQ): The questionnaire helps merchants evaluate their level of compliance.

Qualified Security Assessor (QSA): Qualified Security Assessors are certified through the PCI SSC to perform PCI compliance audits.

Internal Security Assessor (ISA): These individuals are internal employees who have undergone certification through the PCI SSI and are qualified to perform PCI audits.

Approved Scanning Vendor (ASV): The PCI SSC has authorized these vendors to perform vulnerability scans to determine PCI compliance.

Cardholder Data (CHD): Cardholder Data refers to any information used to gain illicit access to the funds associated with cards. Typically, this includes the account number, cardholder name, expiration date, and service code.

Sensitive Authentication Data (SAD): This is also associated with cards, including Full Track Data, CID, and PINs.

Cardholder Data Environment (CDE): The Cardholder Data Environment is comprised of people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data.

Once you know your Merchant Level, you will need to determine exactly what your responsibilities are when it comes to PCI compliance.
  • If you are a merchant who accepts or processes payment cards, you must comply with PCI-DSS. PCI DSS applies to all entities that store, process, and/or transmit cardholder data.
  • PCI PTS (PIN Transaction Security) applies to manufacturers of devices used in the protection of PIN and other cardholder information.
  • PCI PA (Payment Application Vendors) applies to companies that store, process, or transmit cardholder data as part of authorization or settlement. This is a set of standards for software developers that will be processing cardholder payments.
  • If you function as a PA-DSS, you must complete an annual renewal.

To Review: Businesses that process consumer card information must perform the following steps to achieve PCI compliance:

  1. Confirm the scope of the PCI DSS assessment.
  2. Perform the PCI DSS assessment of the environment.
  3. Complete the applicable report for the assessment (i.e., Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC)), including documentation of all compensating controls.
NOTE: Some portions of the ROC may be fulfilled by a third-party service provider, in which case the assessor will review the contract and the third party’s AOC.
  1. Complete the Attestation of Compliance for Service Providers or Merchants, as applicable, in its entirety.
  2. Submit the SAQ or ROC, and the Attestation of Compliance, along with any other requested documentation.
  3. If required, perform remediation and provide an updated report.

PCI compliance is an exhaustive and somewhat overwhelming process. The procedures ensure that consumers and merchants can conduct secure transactions, allowing you to conduct business on a larger scale and create consumer trust in your brand.

Contact us now to learn more about PCI compliance and find out how we can help you conduct safe, secure credit card transactions.

Start the Conversation

BlueSky’s unmatched commerce expertise allows us to help our clients understand how to utilize omnichannel and business solutions to reach, attract, engage, and grow customers.

Related Posts

The Great Debate: Buy vs. Build

The Great Debate: Buy vs. Build

Trends in the Software and Technology space come and go, but one consistent question we always get from prospects and clients centers around buying versus building.  The challenge in answering this loaded question is that not every scenario is the same. ...