What exactly is the PCI DSS?
The PCI DSS (Payment Card Industry Data Security Standard) is a set of requirements for all parties involved in processing credit & debit card transactions – including acquirers, service providers, and merchants – to ensure secure transmission and storage of cardholder data. Continuous compliance with the standard is mandatory for all specified parties, but periodic certification of compliance is also required in various capacities.
Mandatory? Says who?
The PCI SSC (Security Standards Council). The standard was introduced in 2004 as a result of collaboration between Visa and MasterCard. In 2006, they handed off the responsibility of maintaining the standard to the SSC, which is a joint effort of Visa, MasterCard, Discover, JCB, and American Express.
Although the SSC has exclusive authority to set requirements, it does not participate in compliance enforcement. The card brands themselves are responsible for enforcing compliance for all transactions conducted with their own cards. They accomplish this through policy enforcement with their member banks (acquirers). The member banks, in turn, enforce compliance with merchants.
Consequently, if you wish to process major credit cards, you must do so through members of the card brands, who mandate PCI DSS compliance measures in their service contracts.
What does a service provider like Volusion have to do to become compliant?
According to the SSC, there are 12 requirements for service providers to achieve compliance:
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data.
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
Requirement 3: Protect stored cardholder data.
Requirement 4: Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program
Requirement 5: Protect all systems against malware and regularly update anti-virus software or programs.
Requirement 6: Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know.
Requirement 8: Identify and authenticate access to system components.
Requirement 9: Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data.
Requirement 11: Regularly test security systems and processes.
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security for all personnel.
You can view the requirements spelled out in thorough detail in the SSC's document library.
Since all card brand programs are designed to help service providers achieve compliance with the same standard, they are quite similar in a number of ways. The main components are:
- Quarterly network scans by an ASV (Approved Scanning Vendor) for the network's external IP addresses
- Annual on-site audits by a QSA (Qualified Security Assessor)
How can I be sure that Volusion is compliant?
Each card brand maintains a unique compliance program:
- Visa: CISP (Cardholder Information Security Program)
- MasterCard: SDP (Site Data Protection) Program
- Discover: DISC (Discover Information Security & Compliance) Program
- JCB: Data Security Program
- American Express: DSOP (Data Security Operating Policy)
Although Volusion is certified through all of these programs, only Visa and MasterCard maintain publicly-accessible lists of certified service providers:
- Visa (click Search Service Providers in the middle of the page)
- MasterCard (click Download List in the middle of the page)
Do I, as a merchant, have to do anything extra for compliance?
Perhaps. The specifics depend on several factors, explained below.
Factor 1: Your shopping cart platform
All merchants must conduct online business through a certified PCI DSS-compliant platform. If you use licensed or open-source software, you are independently responsible for achieving certification with all card brands you wish to process. Your platform may also be subject to the PA-DSS (Payment Application Data Security Standard).
Factor 2: Your transaction volume
Although using a certified solution is a necessary element of merchant compliance, it isn't the only element. Additionally, all card brands categorize merchants into tiers based on annual transaction volume and security incident history, and set forth compliance objectives accordingly.
In general, higher tiers are either recommended or required to complete an annual on-site audit with a QSA or ISA (Internal Security Assessor), as well as pass quarterly network scans with an ASV. Medium tiers generally must meet the same ASV scan requirement, as well as submit the SAQ (Self-Assessment Questionnaire) and Attestation of Compliance forms (you can download them here). Requirements for the lowest tiers are generally more relaxed.
Factor 3: Your acquirer
“Acquirer” is an industry term for your payment card processing service, which is a bank or a specialized financial organization that works with one or more banks. Both the SSC and the card brands themselves advise merchants to contact their acquirers for compliance requirements.
Although most acquirers have identical merchant requirements, some variation exists. By following all requirements set forth by your acquirer, you minimize your own liability.
Volusion is my acquirer. Does that mean I'm covered?
Yes, but additional requirements may apply if your transaction volume exceeds a certain threshold. As part of the enrollment process, Volusion assists you with completion of the SAQ, which is recommended or required for all merchant tiers of all card brands. Most of our merchants, however, qualify for the smallest merchant tier and thus are not subject to the quarterly ASV scan requirement.
Bear in mind that Volusion Payments does not offer JCB card acceptance, and does not serve as acquirer for American Express transactions (American Express itself fulfills this role). This means that Volusion, as your acquirer, enforces compliance only for Visa, MasterCard, and Discover transactions.
All three of these card brands define their lowest tier of merchants as those accepting fewer than 20,000 transactions annually (per card type, rather than a combined total of all three card types). If your transaction volume exceeds this limit for any card type, we will notify you immediately and provide further instruction.
All Volusion Payments accounts are reviewed quarterly; your merchant tier assignment can change during any review period.
I'm required to pass quarterly network scans. How can I find an ASV?
The SSC keeps an up-to-date ASV list, which includes referring links. A scanning vendor that fails to appear on the list is not recommended, as only approved vendors can help you achieve compliance in the eyes of the card brands. If your acquirer insists that you use a non-approved scanning vendor, it is advisable to find a different acquirer.
Also, be wary of acquirers with ASV partnerships that insist on stricter, costlier scanning requirements than those found on card brand websites. While such businesses may be able to frighten you about credit card security dangers, they have no right to force you to meet a higher security standard than the industry norm.
Is there a graphic I can display to show my customers that I'm compliant?
It depends on your acquirer and your ASV. Since use of a certified platform isn’t sufficient to prove that your store is compliant, Volusion (as your service provider) is unable to offer such a graphic. For merchants using Volusion Payments, Volusion does offer a Verified by Volusion graphic in your Admin Area at Marketing > Nav Menu Promotions free of charge, but this graphic is unavailable to merchants using other acquirers.
Many ASVs and some acquirers also offer clickable compliance validation graphics. Unfortunately, it is a common practice for them to require greater financial commitment than that of the minimum required quarterly scans for the right to display them. If you’re interested in displaying one, you may have to shop around to find the ASV or acquirer offering the best deal. Whether or not you consider the graphic worth the extra financial commitment should depend on whether or not it actually improves your store’s conversion rate, which is something that only you can determine.