Home Compliance StandardsPCI DSS Is PCI Compliance Mandatory for E-Commerce Merchants?
PCI DSS

Is PCI Compliance Mandatory for E-Commerce Merchants?

by RSI Security
written by RSI Security
PCI 4

The Payment Card Industry (PCI) Security Standards Council (SSC) oversees regulations that apply to various companies that store, process, or transmit credit card data. The SSC’s Founding Members (Visa, Mastercard, American Express, Discover, and JCB International) ensure that companies across industries comply with the Data Security Standard (DSS). But is PCI compliance mandatory for e-commerce merchants?

 

Is PCI Compliance Mandatory for E-Commerce Merchants?

The SSC regulates all types of businesses, including e-commerce. However, if you’re uncertain whether PCI compliance is required for your e-commerce organization, consider the following:

  • The PCI DSS framework applies to nearly all companies that process card payments.
  • Some PCI Levels for reporting differentiate between e-commerce and other channels.
  • Certain variants of the Self Assessment Questionnaire (SAQ) apply only to e-commerce.

PCI compliance doesn’t need to be challenging, however simply determining your requirements can be. Let’s dive in.

 

PCI DSS: For All Organizations Processing Card Payments

A better way to ask the titular question is: is PCI DSS mandatory for e-commerce merchants? The answer is yes, in almost all cases. PCI DSS compliance applies to nearly all companies that accept payments via credit or debit card. So if your e-commerce store processes, stores, or comes into contact with cardholder data, you will almost certainly need to comply.

If your company does not process credit card payments, there may still be other PCI frameworks that apply. For example, if you have developed or integrated a payment application, you may need to comply with the Payment Application DSS (PA DSS). Its requirements mirror those of the DSS, but companies to whom both apply need to verify compliance for each independently.

Additionally, if your company uses, makes, or sells PIN transaction devices, you must ensure they meet the PIN Transaction Security (PTS) Requirements. The SSC’s overview of PCI standards provides guidance on the applicability. All frameworks are available for free via the SSC document library, pending license agreement.

 

Request a Free Consultation

 

Levels of PCI DSS Compliance Reporting for E-Commerce

Most e-commerce companies have to comply with PCI DSS. However, the ways they need to verify compliance differ depending on their PCI Level. According to Visa’s PCI guide, these are:

  • PCI Level 4 – Merchants who process less than 20,000 e-commerce transactions annually (or 1 million across all other channels) must file a yearly Self Assessment Questionnaire (SAQ).
  • PCI Level 3 – Merchants who process 20,000 to one million e-commerce transactions annually (only e-commerce channels) must file a yearly SAQ and Attestation of Compliance (AOC).
  • PCI Level 2 – Merchants who process one to six million transactions annually across all channels (including e-commerce) must file a yearly SAQ and AOC, just like Level 3.
  • PCI Level 1 – Merchants who process over six million transactions annually across all channels (including e-commerce) must file a yearly Report on Compliance (ROC) and AOC.

If your e-commerce company is above level 4, you will need to work with a Qualified Security Assessor (QSA) to verify your security controls. The best QSAs, like RSI Security, will also help with all elements of PCI DSS implementation and meet all 12 Requirements.

network security

PCI DSS Self Assessment Questionnaires for E-Commerce

Finally, the reporting process for all e-commerce companies—besides those at Level 1—requires selecting the appropriate SAQ to submit. Of the nine SAQ variants, four apply to e-commerce merchants, including one exclusively for e-commerce merchants. These are:

  • SAQ A – Applicable to card-not-present merchants that outsource all cardholder data functions (including e-commerce)—not applicable to any face-to-face channels.
  • SAQ A-EP – Applicable to merchants that partially outsource cardholder data functions and use a third-party website for payments—applicable only to e-commerce channels.
  • SAQ D-M – Applicable to other eligible merchants (including e-commerce).
  • SAQ D-SP – Applicable to all other eligible service providers (including e-commerce).

Filling out your SAQ is straightforward, especially with the help of a QSA. First, you need to ensure that all controls are in place, then prove that all PCI Requirements are met per their respective Testing Procedures. Finally, any Requirements met by other means must be explained in a Compensating Control Worksheet (CCW) attached to your SAQ.

 

Professional PCI Compliance Advisory for E-Commerce

So, is PCI compliance mandatory for e-commerce companies? Almost always, yes. Unless your company completely avoids processing credit cards, it likely needs to comply with the PCI DSS. If you rely on other payment methods, it may need to meet the PA DSS, PTS Requirements, or other frameworks.

How you need to report on compliance will depend upon your volume of transactions and the specific ways you process payments. Many companies seek additional help with their PCI compliance efforts, given the challenges of identifying their precise requirements. As an SSC-approved QSA and Approved Scanning Vendor (ASV), RSI Security provides trusted PCI expertise.

To get started on your PCI compliance journey, contact RSI Security today!

 

Request a Free Consultation

 

 

0 comment
0
FacebookTwitterGoogle +LinkedinEmail

RSI Security is the nation’s premier cybersecurity and compliance provider dedicated to helping organizations achieve risk-management success. We work with some of the world’s leading companies, institution and governments to ensure the safety of their information and their compliance with applicable regulation. We also are a security and compliance software ISV and stay at the forefront of innovative tools to save assessment time, increase compliance and provide additional safeguard assurance. With a unique blend of software based automation and managed services, RSI Security can assist all sizes of organizations in managing IT governance, risk management and compliance efforts (GRC). RSI Security is an Approved Scanning Vendor (ASV) and Qualified Security Assessor (QSA).

You may also like

How to Pass a PCI Compliance Scan

August 20, 2021

Guide to PCI Compliance for E-Commerce Websites

November 2, 2021

What Are the PCI Merchant Level Requirements?

November 18, 2021

How to Achieve PCI Secure SLC Certification Efficiently

November 6, 2023

What’s The Difference Between HIPAA And PCI Compliance?

December 31, 2019

Do Dispensaries Share Information With The Government?

July 18, 2019

PCI Levels 101 — Everything You Need to...

November 6, 2019

What Does Common Point of Purchase Mean For...

April 15, 2020

What Data Falls Under PCI Compliance?

March 1, 2021

Navigating PCI DSS and the Cloud

February 1, 2019

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

This website uses cookies to improve your experience. If you have any questions about our policy, we invite you to read more. Accept Read More