E-Commerce 101: What is PCI?
PCI refers generically to the Payment Card Industry — the organizations and businesses which handle, store and process credit and debit card transactions. They are the ones who are responsible for taking that credit card information you collect and converting it to those dollars that show up into your bank account.
More specifically, however, PCI or PCI Compliance, refers to the implementation and compliance with the set of standards defined by the Payment Card Industry Security Standards Council (PCI SSC). The Payment Card Industry Data Security Standard (PCI DSS) defines the standard for secure handling of credit card data by merchants and their partners.
Why does PCI exist?
Back in the wild, frontier days of the internet, a lot of online merchants were dumb. They stored credit card information in their store's databases. Unencrypted. Available to any database administrator or customer service agent who wanted to look up an account. Yikes.
As bad as that is as far as general procedures go, it's even worse if an online store gets hacked. Imagine what the bad guys could do with a list of a few thousand credit card numbers, names and billing addresses. It happened. A lot. Even to some big name stores.
It wasn't really the merchant's fault (maybe it was); they didn't understand (did they care?) that storing information this way wasn't safe. They weren't data security experts after all.
So, in 2004, to reduce their collective headaches, and after some false starts individually, the big names in the payment card industry decided to write up some guidelines and best practices. They introduced the first version of their Data Security Standards, to the chagrin and consternation of online merchants everywhere. From this point on, you had to follow some simple (ahem) rules for the handling of payment card information or face hefty fines. Lack of compliance might result in the loss of your ability to process credit cards altogether.
What does the PCI DSS Say?
The PCI DSS defines six main responsibilities/categories of compliance for merchants:
- Build and Maintain a Secure Network and Systems
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
Those are broken down into excruciating-to-read bullet points that cover specific sub-requirements for compliance, at various levels throughout a merchant's organization. For example:
"Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening security experts, a number of security organizations standards."
Um... OK. Like most standards, the requirements are vague, obtusely worded, conflicting, and subject to interpretation. Still, given the historical record of merchants on their own, it's better than having nothing.
Does PCI apply to my store?
Are you collecting credit card information? Then yes, it applies to your store. Although, depending on your number of annual transactions, your manner of compliance is dictated through one of four compliance levels.
Most small businesses are subject to Level 4 (less than 20,000 annual transactions per provider). This usually means that you can perform a self-assessment questionnaire (SAQ) and sign off through some sort of online form. The particular mechanics vary by bank. You may also be required to pass a regular, automated security scan.
Things get more complicated as your number of transactions go up and the compliance levels get lower. The good thing is, processing more transactions means you're making more money, so it's easier cover the cost of compliance.
This sounds like a major PITA.
It's usually not that bad for smaller merchants, though it does require a skillset not often possessed by the owner. Server configuration, network architecture and firewall configuration typically don't have a lot of crossover with selling t-shirts or home decor. Unless you happen to be a devops engineer in your spare time, it's best to find someone who knows what they are doing and get them to help.
Where can I find out more?
You can download a copy of the latest specification, but be warned, it's a difficult read. It's probably best to start with the Get Started section of the PCI SSC's website. Of course, if you have questions, feel free to use the comments below or our contact form to get in touch.