Anyone with an e-commerce site that takes credit card payments through a payment gateway needs to know about the PCI Data Security Standard, or PCI DSS. PCI stands for Payment Card Industry, a group that created the PCI Security Standards Council to protect credit card users from Internet fraud.
What PCI DSS Means for Businesses
The PCI SSC is operated by Visa, MasterCard, American Express and other major credit card companies that determine the policy for PCI DSS protocol. All e-commerce websites, from one-person shops to multi-million dollar operations, must conform to the protocol or risk being heavily fined by Visa or the bank that processes their payments. Shop owners who embed payment gateways on their websites must read through the PCI DSS questionnaire to ensure that they’re in compliance.
There are several versions of the Self-Assessment Questionnaire, or SAQ, reflecting the four categories of businesses recognized by the PCI SSC. These categories, or merchant levels, correspond to the size of the businesses. Most website owners fall into merchant level 4, because they process fewer than 20,000 Visa transactions per year. The next level, merchant level 3, includes companies that process 20,000 to 1 million transactions per year. Merchant level 2 includes websites that process 1 million to 6 million transactions per year, and merchant level 1 includes websites that process more than 6 million transactions per year.
Embedded Vs. External Payment Gateways
Only websites that embed a payment gateway on their domain need to take the SAQ, and merchants who use an external gateway can skip this step. External payment gateways are quite common, and they take users to an external domain for payment processing. For example, it’s common for e-commerce sites to send users to the PayPal website for payment processing. When an external gateway is used, the gateway is responsible for PCI DSS compliance.
The rules of PCI data security are simply part of the agreement merchants make with major credit card companies when they process payments. There isn’t a law regulating the data security of payment gateways, but the card companies can enforce PCI DSS by taking huge fines from businesses who ignore the rules. Businesses should be careful when working with Web developers who embed a payment gateway on an e-commerce site. It’s the site owner’s responsibility to ensure PCI DSS compliance, and this step must begin with close communication with the developer.
Website Security
There are 12 control objectives imposed by the requirements, and they call for ongoing network security maintenance for as long as the embedded payment gateway is active. Regular network testing and monitoring is one of the requirements, and so is instituting a vulnerability management policy on the network. In general, all of the PCI DSS requirements are good policies to follow for site owners who handle customer credit card numbers. They do require additional time and system resources, but the added expense is usually offset by the savings of a lower-cost payment gateway. Also, customers may appreciate not being forced to leave the checkout page to process a payment.
Related Resource: Payment Gateway
E-commerce has been one of the biggest trends on the Web since broadband Internet allowed websites to become more sophisticated. If you have a custom checkout page with an embedded payment gateway, you need to implement proper PCI Data Security Standards to protect your customers and your business.