I found myself explaining PCI Compliance again the other day and thought I would save time and just blog my response so I have it for next time. Keep in mind this is a layman's view of PCI and while I do spend 90% of my day dealing with eCommerce merchants and their web sites, I am not, nor have I ever been a PCI Professional.
PCI stands for "Payment Card Industry" and it is an international standard. It is not a legislative requirement that I am aware of but it does align with legislation on personal privacy. The security standards are operating requirements from the merchant providers (Visa, Amex, Mastercard, Discover) and a set of guidelines for merchants to follow to secure card holder data. When we talk about PCI Compliance we are talking about complying with the PCI Data Security Standard or PCI DSS. Alphabet soup.
PCI rules are not specific to eCommerce websites but to every merchant that processes transactions with credit cards. There are additional rules for companies doing web transactions but the PCI standards also look at what happens when someone calls your store to place an order. Do the credit card numbers get written down on a paper form? If they are, what happens with that paper afterwards? Do your till receipts include the complete CC number or only the last 4 digits?
Most small to medium companies just have to complete a Self Assessment Questionnaire. Questions include such things as "Are hardcopy materials cross-cut shredded, incinerated, or pulped so that cardholder data cannot be reconstructed?"
The correct answers are pretty obvious, but by filling out the forms, you are certifying that the answers are true. Don't take this lightly!
There are different levels of auditing requirments for PCI DSS compliance based on the merchants transaction volume.
We do not pay the thousands of dollars per year for annual certification to be listed on the PCI site. We were certified through Trustwave
for a few years, but in the end it did not give our merchants any additional advantage. Each merchant still has to fill out their annual questionnaire and go through the security scans as mandated by their merchant card provider.
The advantage of going with an experienced eCommerce provider is that they have been through the PCI certification process before many times and can help you complete the questionnaires. We guarantee our customers that our software and our hosting infrstructure and services are PCI compliant. If they do not pass, we will rectify the identified issues at our own expense. We do not store credit card information and all transactions are processed in real time with a PCI compliant top tier transaction processor. The rest is up to you.
You can learn more at www.pcisecuritystandards.org