PCI Compliance Guide : Why Indian eCommerce Start-Ups Must look for PCI Compliance
A lot of eCommerce start-ups are entering the market, with hopes of competing with the likes of Amazon and Flipkart. To do so, they need to comply with PCI security standards, to avoid credit card fraud and data breaches. But what exactly does being PCI Compliant mean? Here, we explain:
What is PCI DSS?
The Payment Card Industry Data Security Standards (PCI DSS) is a globally accepted policy used to protect debit, credit and cash card transactions. These procedures are used to protect the card holder’s personal data against misuse. By following PCI DSS, merchants and sellers can safely accept, store, process and transmit customer information during eCommerce transactions. PCI DSS was created in 2004 by five major credit card companies i.e. Visa, MasterCard, Discover, JCB and American Express.
Who must comply with PCI DSS?
“Any merchant, acquirer, issuer bank and service provider that processes, stores or transmits credit or debit card data must follow the procedures of PCI DSS. Besides protecting cardholder data, complying with PCI DSS means to ensure information systems and payment applications are secured in real time.” Said Mr. Karl Schrade, Senior Cyber Security Consultant at Chitrangana.com
Different levels of PCI DSS compliance
Tier 1: Over 6 million transactions a year
Tier 2: Transactions between 1-6 million a year
Tier 3: Less than 1 million yearly transactions
Tier 4: Less than 20,000 transactions a year
How to be PCI compliant?
1) Never see, store or have access to cardholder data
2) Never tokenize credit card information
3) Never use third-party payment gateway
4) Logging, testing, audit trials before launching website
5) Strictly follow security policies set by payment partners
What happens if you are not PCI compliant
If your eCommerce website does not follow PCI Security Standards, there is a high risk of customer data being hacked. Also, banks are not permitted to offer services to merchants that aren’t PCI Compliant. In 2013, the Reserve Bank of India (RBI) ruled it mandatory for banks to ensure that “that the terminals installed at the merchants for capturing card payments should be certified for PCI-DSS and PA-DSS.”
How to maintain PCI DSS compliance?
Remaining PCI compliant is a continuous process. To maintain PCI DSS compliance for your eCommerce website, you need to perform the Self-Assessment Questionnaire every 12 months. You are also required to “regularly test security systems and processes” every 3 months which includes running vulnerability scans that need to be run by an Approved Scanning Vendor. For example, PayPal constantly works with its merchants to ensure they remain PCI compliant.
What is the difference between PCI compliance and PCI certified?
As explained before, PCI compliance can be achieved by completing the Self-Assessment Questionnaire (SAQ). The test you take depends on how you integrate payment gateway and cardholder data. However, PCI certification requires a severe self-audit and a special audit conducted by Qualified Security Assessor (QSA). If you pass the audit, the PCI Security Standards Council (PCI SSC) will grant you PCI Certification. It is important to note that requirements for PCI Compliance and PCI Certification are almost the same. The difference is who conducts the audit, verifies the requirements and evidence.