The Payment Card Industry Data Security Standard (PCI DSS) is a set of standards devised by the payment card industry to improve information security for organizations that handle credit card data.
The PCI DSS isn’t a law in most of the US — the exceptions being Nevada and some other states that have PCI DSS-like provisions. Nevertheless, it would be a mistake to ignore it: the payment card industry can make life difficult for eCommerce retailers by increasing transaction fees, levying fines, or preventing retailers from taking credit card payments at all.
PCI DSS applies to any organization that accepts, transmits, or stores cardholder data. That includes eCommerce retailers, even if they use a third-party payment processor. Using a payment processor makes it easier and less expensive to comply, but it doesn’t absolve retailers of their responsibilities under the PCI DSS: they must secure their servers, networks, and software.
How do retailers comply with the PCI DSS?
The easiest way to comply with the standards is to use a third-party payment processor and PCI-compliant hosting — if you store credit card information on your store or manage your own servers complying becomes much more complicated and expensive.
Retailers must implement all of the PCI DSS standards and complete a Self-Assessment Questionnaire (SAQ), which is submitted to their transaction bank. There are several SAQs, but only two are relevant to smaller eCommerce retailers: SAQ A and SAQ A-EP. Retailers should complete SAQ A if they entirely outsource the payment process, and SAQ A-EP if they use a third-party payment processor but retain some control over payments, such as taking credit card details on a page controlled by the merchant before passing them immediately to a payment processor.
Larger eCommerce stores should consult a PCI DSS expert for more information.
What does the PCI DSS require?
There are 12 broad categories of PCI DSS standards, ranging from protecting data with a firewall and encrypting data while in transit to using anti-virus software and regularly updating and patching systems. You can see the full list of requirements here.
PCI DSS Compliant Hosting
PCI DSS compliant web hosting is useful to eCommerce retailers, including those that need to store credit card data.
The PCI DSS includes standards for the physical security of the servers and networks on which data is stored, malware scanning of servers, tracking and monitoring of access to network resources, and others that should be implemented by the organization that controls the servers and networks that host an eCommerce store.
PCI DSS-compliant hosting makes it possible to comply with the standards, but it does not excuse the retailer altogether. For example, the hosting provider may take care of the physical security of the network and other hardware related standards, but if the retailer fails to apply security patches to their store, they are non-compliant.
The division of responsibilities between the hosting provider and the retailer depends on the nature of the hosting. Retailers should make sure that they fully understand what their hosting provider takes responsibility for.
The PCI DSS is a fact of life for eCommerce retailers. Third-party payment processors and PCI-compliant hosting significantly reduce the cost and compliance of hosting.
About the Author: Jay Caissie is Director of IT at ServerMania. Jay takes the lead on network engineering, server management services, internal systems, engineering, and escalated support. In short, Jay is the brains behind the technical aspects of ServerMania’s hosting platform.