Why Your Ecommerce Business Needs PCI Compliance

If you process customer credit cards online, it is important to be PCI compliant and understand the different types of compliance out there. The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that companies that accept, process, store or transmit credit card information maintain a secure environment. The PCI DSS applies to any organization, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data.

What’s Involved In Getting Compliant
SAQ stands for Self Assessment Questionnaire. There are several different questionnaires depending on how the merchant process credit cards and three of them are specific to merchants taking credit cards online:

SAQ-A — This is the most basic level of compliance and the one that any small merchant would want to qualify in. It requires only the questionnaire for compliance, no quarterly vulnerability scans and no annual penetration test. To qualify, no credit card data can ever be seen by the merchant’s website and payments must be processed through either an iframe, or secure url belonging to a processor that is PCI compliant (such as NMI).

SAQ A-EP — This level of compliance requires quarterly vulnerability scans, and annual penetration testing. This applies when Credit card information is entered directly into the merchant website and is used primarily by larger ecommerce sites with a high volume of transactions.

SAQ D — This level of compliance applies to any site that processes credit card data in any way before transmitting it to the approved processor. SAQ D also requires annual penetration testing and quarterly scans and a much more complex questionnaire.

Compliance Implementation