The Payment Card Industry (PCI) Security Standards Council (SSC) oversees regulations that apply to various companies that store, process, or transmit credit card data. The SSC’s Founding Members (Visa, Mastercard, American Express, Discover, and JCB International) ensure that companies across industries comply with the Data Security Standard (DSS). But is PCI compliance mandatory for e-commerce merchants?
Is PCI Compliance Mandatory for E-Commerce Merchants?
The SSC regulates all types of businesses, including e-commerce. However, if you’re uncertain whether PCI compliance is required for your e-commerce organization, consider the following:
- The PCI DSS framework applies to nearly all companies that process card payments.
- Some PCI Levels for reporting differentiate between e-commerce and other channels.
- Certain variants of the Self Assessment Questionnaire (SAQ) apply only to e-commerce.
PCI compliance doesn’t need to be challenging, however simply determining your requirements can be. Let’s dive in.
PCI DSS: For All Organizations Processing Card Payments
A better way to ask the titular question is: is PCI DSS mandatory for e-commerce merchants? The answer is yes, in almost all cases. PCI DSS compliance applies to nearly all companies that accept payments via credit or debit card. So if your e-commerce store processes, stores, or comes into contact with cardholder data, you will almost certainly need to comply.
If your company does not process credit card payments, there may still be other PCI frameworks that apply. For example, if you have developed or integrated a payment application, you may need to comply with the Payment Application DSS (PA DSS). Its requirements mirror those of the DSS, but companies to whom both apply need to verify compliance for each independently.
Additionally, if your company uses, makes, or sells PIN transaction devices, you must ensure they meet the PIN Transaction Security (PTS) Requirements. The SSC’s overview of PCI standards provides guidance on the applicability. All frameworks are available for free via the SSC document library, pending license agreement.
Levels of PCI DSS Compliance Reporting for E-Commerce
Most e-commerce companies have to comply with PCI DSS. However, the ways they need to verify compliance differ depending on their PCI Level. According to Visa’s PCI guide, these are:
- PCI Level 4 – Merchants who process less than 20,000 e-commerce transactions annually (or 1 million across all other channels) must file a yearly Self Assessment Questionnaire (SAQ).
- PCI Level 3 – Merchants who process 20,000 to one million e-commerce transactions annually (only e-commerce channels) must file a yearly SAQ and Attestation of Compliance (AOC).
- PCI Level 2 – Merchants who process one to six million transactions annually across all channels (including e-commerce) must file a yearly SAQ and AOC, just like Level 3.
- PCI Level 1 – Merchants who process over six million transactions annually across all channels (including e-commerce) must file a yearly Report on Compliance (ROC) and AOC.
If your e-commerce company is above level 4, you will need to work with a Qualified Security Assessor (QSA) to verify your security controls. The best QSAs, like RSI Security, will also help with all elements of PCI DSS implementation and meet all 12 Requirements.
PCI DSS Self Assessment Questionnaires for E-Commerce
Finally, the reporting process for all e-commerce companies—besides those at Level 1—requires selecting the appropriate SAQ to submit. Of the nine SAQ variants, four apply to e-commerce merchants, including one exclusively for e-commerce merchants. These are:
- SAQ A – Applicable to card-not-present merchants that outsource all cardholder data functions (including e-commerce)—not applicable to any face-to-face channels.
- SAQ A-EP – Applicable to merchants that partially outsource cardholder data functions and use a third-party website for payments—applicable only to e-commerce channels.
- SAQ D-M – Applicable to other eligible merchants (including e-commerce).
- SAQ D-SP – Applicable to all other eligible service providers (including e-commerce).
Filling out your SAQ is straightforward, especially with the help of a QSA. First, you need to ensure that all controls are in place, then prove that all PCI Requirements are met per their respective Testing Procedures. Finally, any Requirements met by other means must be explained in a Compensating Control Worksheet (CCW) attached to your SAQ.
Professional PCI Compliance Advisory for E-Commerce
So, is PCI compliance mandatory for e-commerce companies? Almost always, yes. Unless your company completely avoids processing credit cards, it likely needs to comply with the PCI DSS. If you rely on other payment methods, it may need to meet the PA DSS, PTS Requirements, or other frameworks.
How you need to report on compliance will depend upon your volume of transactions and the specific ways you process payments. Many companies seek additional help with their PCI compliance efforts, given the challenges of identifying their precise requirements. As an SSC-approved QSA and Approved Scanning Vendor (ASV), RSI Security provides trusted PCI expertise.
To get started on your PCI compliance journey, contact RSI Security today!