PCI-DSS is a set of requirements that the major credit card companies have put in place to enhance cardholder payment data security. If you are a merchant that accepts credit cards for purchases online you are required to comply with the PCI-DSS requirements.
Jump To Section
All merchants fall into one of four merchant levels defined by the merchant’s transaction volume over a year.
A level 4 merchant is defined as "any merchant processing fewer than 20,000 Visa ecommerce transactions per year," and is the most common small business merchant level.
Level 3 merchants are classified as doing 20,000 to 1,000,000 transactions per year.
We'll be focusing on Level 3 and 4 merchants throughout this article.
Your merchant level defines your PCI compliance validation options.
Level 3 and Level 4 merchants are required by PCI-DSS requirements to complete a Self Assessment Questionnaire (SAQ) and to pass a quarterly network vulnerability scan.
Level 4 merchants, however, may not be required by their merchant acquirer to fulfill either of these requirements. We'll discuss this more later.
SAQ Validation Types
Every merchant is required to complete a Self Assessment Questionnaire (SAQ) to become certified as PCI compliant. There are five SAQ validation types that determine which of the four SAQ's to complete.
We'll look at SAQ validation types 1, 4, and 5, since all online ecommerce systems will fall into one of these categories.
Type 1
SAQ validation type 1 has the easiest requirements to meet. This validation type applies to ecommerce merchants where all cardholder data functions are performed by a PCI compliant third-party, such as PayPal.
No cardholder data can be stored or transmitted to qualify for this SAQ validation type. The purchaser must be redirected to the service provider's website to complete the purchase.
SAQ validation type 1 does not require PCI compliant web hosting, however it may be necessary to complete the SAQ-A if the merchant services provider requires it.
It's likely that merchants of validation type 1 will not be required by their merchant acquirer to perform a quarterly vulnerability scan.
Type 4
SAQ validation type 4 applies to most ecommerce retailers. This validation type applies to ecommerce merchants with shopping cart applications that transmit cardholder data via the Internet for processing by the merchant acquirer.
No cardholder data can be stored to qualify for this SAQ validation type.
A simple example of a qualifying SAQ validation type 4 is a Magento shopping cart using Authorize.Net to process transactions. Cardholder data is transmitted to a PCI compliant third-party for processing and no cardholder data is stored.
Credit card payments are made at the merchant's website, whereas validation type 1 must deliver the client to a third-party website for payment collection, such as PayPal Payments Standard.
SAQ validation type 4 requires that all third-party service providers are certified as PCI compliant. The ecommerce merchant is required to perform due diligence to ensure the operating service provider is a PCI-DSS certified service provider. This includes the web hosting provider and data center.
A careful review of the service provider certification should be made before choosing any PCI compliant third-party service providers.
SAQ validation type 4 merchants must complete the requirements of the SAQ-C. Due to additional complexities introduced by the SAQ-C requirements, including the fact that service providers must also be certified PCI compliant, traditional shared hosting options become impossible.
Type 5
SAQ validation type 5 applies to all ecommerce merchants that do not fall into validation types 1 or 4. The defining issue that separates a type 4 from a type 5 is the storage of cardholder data.
Merchants identifying themselves as eligible for validation type 5 must comply with the requirements in SAQ-D. These are the same requirements that are required of PCI certified service providers and are typically out of the financial and technical reach of most small ecommerce retailers.
The SAQ-D requirements for PCI compliance are a very serious undertaking for even highly skilled IT professionals. Lawyers, CPAs, and other legal means may often be needed to draft PCI audit policies and procedures. The cost of validation type 5 PCI compliance can easily run over $50,000.
Becoming PCI Compliant
Acquirers (merchant account providers) are responsible for enforcing merchant compliance with the PCI requirements.
Level 4 merchants may not be required by their acquirer to submit vulnerability scan reports or the SAQ, which is the case with PayPal Payments Standard.
If you are required to provide either the PCI scan or SAQ, you will be notified by your merchant provider. The notice will be delivered in the form of postal mail and will include your merchant level and compliance requirements with regards to the SAQ and vulnerability scans.
Merchants that do not meet the requirements of the PCI-DSS may also be fined by the merchant acquirer. Often called a compliance fee, this charge can range from $19.95 to many thousands of dollars monthly.
Many level 4 merchants choose to pay the fee over becoming PCI compliant, but it is important to remember that compliance is required and merchant accounts do get shutdown.
Hosting & Data Center Options
Each SAQ validation type brings with it a new level of complexity to achieving PCI compliance. Third-party service providers' PCI compliance is an important factor for type 4 and 5 merchants.
Service providers are any third party who has access to cardholder data. This would include web hosting companies and data centers.
Type 1 (SAQ-A)
SAQ validation type 1 has the lowest level of hosting requirements. In this case the payment system, such as PayPal, is the only system involved with the cardholder data transaction. The main website does not need to be hosted with a PCI compliant service provider.
An example of an ecommerce SAQ validation type 1 merchant would be a Magento shopping cart application using the PayPal Website Payments Standard payment option.
All cardholder data is input on the PayPal website and no cardholder data is stored or otherwise transmitted by the originating ecommerce website.
If necessary, the SAQ-A will need to be completed and delivered to the merchant acquirer to complete the PCI Compliance process.
Type 4 (SAQ-C)
SAQ validation type 4 merchants have very specific requirements which mandate the use of certified PCI compliant third party service providers such as web hosting companies and data centers (SAQ-C 12.8).
The many barriers to becoming a PCI compliant service provider eliminates the merchant’s shared hosting options, and all but mandates the use of a dedicated server to achieve PCI-DSS compliance under the SAQ-C.
Restrictions placed on PCI compliant web hosting providers make it impossible to offer a PCI compliant, multi-tenant shared hosting environment.
As a result, many type 4 merchants maintain a PCI compliant hosting environment themselves using a dedicated server hosted with a PCI compliant data center.
An example scenario would be to purchase a dedicated server from a certified PCI compliant data center, such as SoftLayer.
In this scenario, the ecommerce application (Magento) would reside on the dedicated server and communicate cardholder data to a third-party payment processor, such as Authorize.Net. No cardholder data can be stored by the merchant in this scenario.
The dedicated server would need to be configured to pass the required quarterly vulnerability scans. Tuning a server to meet PCI-DSS compliance for SAQ-C is not a complicated task, however it will require a competent System Administrator.
Vendors such as McAfee Secure can provide the PCI vulnerability scans and PCI compliance certificates, as well as a wealth of information to help you pass your PCI-DSS requirements.
The SAQ-C, along with the successful completion of the quarterly vulnerability scan, should be submitted to your merchant account provider to show compliance with the requirements of PCI-DSS.
It’s easiest to subscribe to a scanning service such as McAfee Secure for ongoing PCI compliance scanning.
Type 5 (SAQ-D)
The SAQ Validation Type 5 is the highest level of PCI compliance and is the same level required by PCI-DSS certified service providers.
This level of PCI compliance requires legal council and a budget in excess of $50-100k to achieve. The decision to take on this type of PCI compliance should only be made by true enterprise-class merchants.
Beyond the certified DSS service provider requirements mandated by type 4 merchants, type 5 merchants must also be prepared for a significant investment in hardware infrastructure, public and private information security policies, and technical compliance challenges.
An example of this level of compliance would be a managed, PCI compliant product from RackSpace. RackSpace is a PCI compliant data center capable of managing this level of PCI compliance for their clients.
A typical RackSpace SAQ-D PCI compliant hosting arrangement would include the following specs:
- Hardware firewall
- Mid-Range web server
- Mid-Range database server
- File integrity monitoring
- Log management service
- Intrusion detection system
- 1-2 GB bandwidth
- 3-5 dedicated IPs
This RackSpace PCI compliant product is available for approximately $3,200 per month, depending on a 1 or 2 year contract, plus a a $2,300 setup fee.
The configuration of your ecommerce application to use such an environment and the tuning of a multi-system hosting environment for advanced ecommerce applications such as Magento are the responsibility of the merchant.
The SAQ-D will need to be completed along with the many information security policies that it requires to be publicly and privately maintained. This hosting system will also be required to pass a quarterly network vulnerability scan to be PCI-DSS compliant.
The best advice one can give to a SAQ validation type 5 merchant is, if there is a way to become type 4 merchant, do it.
The primary factor that distinguishes type 4 from type 5 for ecommerce merchants is the storage of cardholder data. Unless this is absolutely necessary it should be removed from the business model.
What Does This Mean?
The PCI-DSS requirements are a clear indication of what we can expect from the ecommerce ecosphere in the near future.
Credit card companies are making great efforts to push ecommerce into a restrictive SAQ validation type 1, where the likes of Yahoo! Stores, Google Checkout, PayPal, and similar SaaS solutions will become the norm.
Online merchants who wish to use an integrated payment system, such as Authorize.net, are forced to spend hundreds, if not thousands of dollars per month to comply with the PCI-DSS requirements. This is true of even the smallest ecommerce merchants.
The PCI compliance requirements introduce a true pay-to-play culture within Internet ecommerce.
PCI-DSS compliance introduces a new power to control merchants that appears to disproportionately penalize the smallest of the struggling small businesses by applying the same rules and structures that large corporations face.
VISA and other card providers do their very best to protect their cardholders through the PCI-DSS standard. The cost of this protection is the loss of entrepreneur freedom.
The Internet small business landscape is changing and the ability of the small entrepreneur to accept credit cards in an integrated hosting environment is rapidly disappearing.