PCI Compliance: Frequently Asked Questions
by Practical eCommerce Staff
Payment card industry compliance is confusing for many ecommerce merchants. But it potentially affects every merchant that accepts credit card payments. Failure to understand the PCI compliance standards could result in higher merchant account fees and fines from the credit card issuers.
Merchants oftentimes have similar general questions on PCI compliance. We posed some of them to Tim Erlin, principal product manager for nCircle, a security consulting and compliance firm that offers PCI-related services, among other compliance services. Those questions, and his answers, are below.
What is PCI?
Erlin: "PCI generally refers to the Payment Card Industry Data Security Standard, or the PCI DSS. This standard was developed by the PCI Security Standards Council, which is a consortium of the major credit card brands (Visa, Mastercard, American Express, and Discover). It represents the combination of two previous separate programs: the Visa Cardholder Information Security Program (CISP) and MasterCard's Site Data Protection program (SDP). The goal of the PCI DSS is to specify a common standard for protecting cardholder data from compromise."
How does PCI compliance affect my ecommerce business?
Erlin: "If you accept credit cards as a form of payment, you are required to be compliant with the PCI DSS. In most cases, smaller merchants can achieve compliance by using compliant shopping carts and payment gateway services. If, however, you choose to collect and store credit card data as part of your business, you'll need to carefully consider the requirements of the PCI DSS."
"Larger volume merchants (more than 20,000 credit card transactions annually) will need to complete some specific validation requirements to demonstrate compliance with the PCI DSS. The requirements range from filling out a self-assessment questionnaire to an onsite audit from a qualified auditor. You can find out more details about merchant levels here."
Where can I learn more about PCI?
Continue Reading at Practical eCommerce