PCI standards are complex, but can be simplified

Cyber attacks are a real and continuous threat and no online business is immune, regardless of size. In response to this, the payment card industry created a set of rules and requirements, the Data Security Standard (PCI DSS) that establishes a secure system for online businesses and customers to reduce that risk.

Major credit card networks rolled out PCI DSS in 2006, to ensure a robust security process dealing with all online financial transactions. The guidelines are constantly updated to align with new technologies from fintech and e-commerce in order to ensure that cardholder and sensitive authentication data is safely processed, stored and transmitted.

As an online merchant, you need to know that levels of compliance vary depending on the size of your business.

Level 1: Over 6 million card transactions per year. Self-Assessment Questionnaire SAQ and audits made by Qualified Security Assessor (QSA) are mandatory.

Level 2: 1 to 6 million transactions per year. SAQ mandatory, signed by a QSA or a trained PCI Security Standards Council Internal Security Assessor (PCI SSC ISA).

Level 3: 20,000 to 1 million transactions per year – SAQ mandatory.

Level 4: less than 20,000 transactions per year – SAQ recommended, not mandatory.

Additional information about SAQs are found within the Security Standards Council PCI DSS Quick Reference Guide.

Besides creating a secure network system, PCI DSS guidelines advise you to develop configuration standards for all system components and have them managed by people who understand cryptography, to ensure that the data is encrypted and untouchable. The PCI DSS guidelines further recommend never to store credit card data unless absolutely necessary.

The expanding subscriptions payment business is an exception because customers’ data enables renewals. In this case, you should have a data retention policy document authorized by regulators in place outlining how long you store sensitive data. The PCI recommends erasing unnecessary data at least quarterly. Furthermore, you, as the merchant, are required to record and implement procedures for storing public and private keys for data encryption.

Monitoring methods

The best way to keep vulnerabilities in check is by establishing a ranking system based on the level of threat so your team can prioritize, organize and resolve them. Also, be sure to utilize security patches provided by your security software provider.

Foster a security-driven software development culture in your organization. When dealing with sensitive data, developers must build the project from the start with security in mind.

And since web applications face a lot of threats, in order to be PCI compliant, your public-facing applications must be continuously assessed for vulnerabilities, either manually or by web firewalls that monitor your traffic and send status reports around the clock.

Fortunately, there are ways to reduce the burden and complexity of PCI compliance. It all starts with your payment provider and the checkout experience – and here we are exploring some solutions available on the market that will help you control the ordering experience, while following the robust recommendations of the PCI DSS guidelines, without investing a lot of energy and time in the process.

Checkout page with URL Redirect model. With this checkout model, your customers are sent from your website to a checkout hosted by the payment provider or a third-party company. This approach has the greatest level of PCI Compliance (Level 1) as the cardholder data is managed by the checkout provider.

This model shortens your compliance process to just the formality of filling out a questionnaire. Choose this option to save time in developing an individual solution, and go with a customized and optimized out-of-the-box solution.

Iframe Checkout. In terms of PCI compliance, the Iframe checkout matches the ones that have a URL redirect model. This checkout page is hosted by the payment provider, which eliminates the need to store card data. Customers can place orders directly from your website, without being steered to another page. A faster buying process will increase your checkout conversion rates.

Implement a JS Ordering Form. If you have an in-house checkout solution with your payment integration made through an API, your PCI DSS assessment goes a level higher. The best option is to use a JavaScript form on top of your checkout one that collects, encrypts and transfers cardholder sensitive data directly to your payment service provider.

One benefit is that you don’t have to worry about collecting sensitive data during the payment process. Another is that you retain full control over the look and feel of your checkout.

When it comes to implementation, it requires only a few lines of code and it allows your payment service provider to intercept and tokenize (encrypt) sensitive credit card information, while holding it in their systems for a limited amount of time, before it’s deleted.

This article was written by Madalin Cojocariu from PaymentsSource and was legally licensed through the Industry Dive publisher network. Please direct all licensing questions to

Security Insights