PCI Compliance: What Online Retailers Need to Know


If you sell using digital, you should be PCI compliant at some level.

Read on for some refreshers on PCI compliance, including which level applies to you.

Where did PCI start?

Visa, MasterCard, American Express, Discover & JCB formed a consortium called the Payment Card Industry Security Standards Council or PCI SSC. This group continues to lay out Data Security Standards (DSS) and expects any and all transactional websites to abide by their requirements.

Why do retailers need to be PCI compliant?

The Council’s security standards entail guidelines and processes that will prevent data breaches and credit card fraud.

What happens if we just ignore PCI compliance?

Worst case scenario, your ability to accept payments by credit cards could be suspended or revoked. Ignoring this eCommerce requirement can lead to data breaches, loss of customer trust, fines and even termination of your card acceptance agreement.

Furthermore, your business may be liable to the card companies for damages and card replacements.

So, PCI Compliance makes our business hack-proof?

Not exactly, though no organization adhering to PCI Data Security Standards has ever experienced a “break-in” with their payment or payment data. In case you’re wondering about who IS getting hacked, some say that nearly 80% of payment information-related breaches or hacks occur at small-to-mid-sized merchants.

Is every other retailer PCI compliant? Who’s doing it?

While PCI Compliance has increased 167% since 2012, an estimated 80% of organizations still aren’t compliant.

What are the standards I need to implement to be fully PCI Compliant?

Here are the basics: to obtain PCI accreditation, your eCommerce company needs to prove it is meeting several key security goals by:

  • Building and maintaining a secure network
    • Setting up a firewall
    • Not using vendor-supplied defaults for usernames and passwords, for example
  • Protecting cardholder data
    • Protecting stored cardholder data
    • Encrypting transmission of cardholder data
  • Maintaining a vulnerability management program
    • Using and regularly updating anti-virus data
    • Developing and maintaining secure systems & applications
  • Implementing strong access control measures
    • Restricting employee access to cardholder data
    • Assigning a unique ID to each person with computer access
    • Restricting physical access to cardholder data
  • Regularly monitoring and testing networks
    • Tracking and monitoring all access to network resources and cardholder data
    • Regularly testing security systems and processes
  • Maintaining an information security policy
    • Maintaining an organizational policy that addresses information security

I don’t store credit card data – do I still need to be PCI compliant?

What if all payments go through Paypal, for example, or Shopify, or an outsourced payment processor? There’s a level of PCI compliance for you too. It’s a common misconception that PCI Compliance applies only to merchants who store credit card data. Even if the payment process is totally outsourced you have to comply with certain PCI DSS requirements.

Basically, if you’re taking credit card payments on your website in one way or another, you must be PCI compliant.

The bottom line – it is about protecting your customers and your business

These standards exist to ensure privacy and data protection, as well as to help prevent credit card fraud and avoid costly data breaches. Becoming PCI Compliant means fortifying your business and highlighting your status as a trustworthy retailer.

The next step – the process behind PCI Compliance:

You know you need to be PCI Compliant. But how do you fulfill the requirements and then get certified? See the next articles on determining your merchant level and the self-assessment questionnaire to make sure you are looking in the right places.