Skip to Main Content

Jun 5, 2019 | 5 minute read

FAQs on Payment Card Industry (PCI) compliance and the 4 steps to ensure ecommerce complaisance

written by Guest

With the increase of consumer online shopping and less cash payments, the importance for businesses to choose the right payment processing solution cannot be overemphasized. Before investing in any of the available payment processing solutions that promise to make it easy for customers to make online payments, it’s crucial to be familiar with the Payment Card Industry Data Security Standard (PCI DSS) compliance.  

What is the PCI DSS? 

Increase in identity theft incidences marked the early 2000s thus prompting the large payment card organizations American Express, JCB International, Discover Financial Services, Visa Inc. and MasterCard to come together and form the Payment Card Industry Security Standards Council (PCI SSC). The PCI SSC’s main aim was to protect their clients and their companies through a series of payment processing standards. 

Together, the PCI SSC developed the PCI DSS to safeguard sensitive information. 

What are the penalties for non-compliance? 

Many merchants wrongly presume that compliance is non-compulsory simply because PCI DSS is regarded as a standard instead of a regulation. Even though merchants may not be jailed for non-compliance, certain repercussions can arise and result in business failure.

For instance, card issuers and acquiring banks can impose fines of between $5,000 and $100,000 USD per month on non-compliant merchants. When imposed on small business, these hefty fines can put an end to operations. Even if large companies can manage to pay these fees, their bottomlines are negatively affected. 

Who needs to be PCI DSS compliant?

Irrespective of firm size or industry, if a business accepts, stores or transmits cardholder data, PCI compliance is mandatory.

Is PCI compliance similar for all merchants?

PCI DSS compliance is not similar for all merchants. It varies from one company to another depending on size. This is good news for smaller companies as they don’t have to bear the same compliance “burden” as large organizations. So, PCI DSS compliance will largely depend on a company’s Visa transaction volume over one year. Merchants are categorized into four PCI DSS levels, which include:

  • Level 1: Merchants processing any Visa transactions exceeding $6 million USD per year.  Merchants who pose a considerable risk also fall under this level. 
  • Level 2: Merchants processing any Visa transactions of between $1 million to $6 million USD per year.
  • Level 3: Merchants processing Visa ecommerce transactions of between $20,000 to $1 million USD per year.
  • Level 4: Merchants processing Visa transactions of less than $1 million USD per year, and merchants processing Visa ecommerce transactions of less than $20,000 USD per year. 

An important thing to note is that ecommerce merchants may not be in the same tiers as traditional brick-and-mortar businesses based on the definitions. 

What is cardholder data?

Cardholder data is any personally identifiable information (PII) which links to both user credit and debit cards. The cardholder data comprises of cardholder name, primary account number. (PAN), expiration date and service code.

Defining a Cardholder Data Environment (CDE)

PCI DSS compliance is a challenging task due to the strenuous scoping of CDE. As per PCI DSS, CDE is any interconnection or network that stores, processes or transmits sensitive payment authentication data or cardholder data. Generally, the definition of CDE by PCI SSC must include all components which support or connect to the individual network.

That is to say; CDE is inclusive of any interface such as the wireless network, through which data passes. This can also involve any gadget such as personal and corporate tablets, laptops or smartphones which connect to the system as well as routers and servers.


Step 1: Catalog data assets

Scoping PCI environment forms the basis for creating cybersecurity procedures and policies. So, start by distinguishing all network devices such as routers, the cellular network, wireless network, and terminals together with the point-of-sale (POS) systems.

Step 2: Diagram assets

When identification is complete, proceed to outline how information flows in the environment while showing which devices interact with the data. Pay closer attention to network segmentation to ensure that the transmit data doesn't go to unprotected networks which can expose it to cybercriminals.

Step 3: Establish policies, procedures and controls

Here is why all merchants should be PCI DSS compliant; the standard is quite elaborate in defining the required controls. Further, the policies differentiate acceptable and unacceptable encryption while explaining the need for firewalls.  Consequently, PCI DSS explains its legal encryption and cryptographic methods.

Internal policies should discuss the procedure of modifying passwords and configurations on all third-party hardware and software. As a merchant, PCI DSS requires that there is personalization of their services since the default configurations and passwords are easily manipulated by hackers to gain unauthorized access to the system.

The terminal connections card-present POS POI cannot, therefore, use SSL/early TLS encryption since June 30, 2018.

Step 4: Frequently monitor CDE protections

CDE monitoring is not just about evaluating controls. It is also about taking part in audits that enable a merchant to demonstrate the efficacy of their controls. There’s a need to engage in internal and external vulnerability monitoring as it can help prove that internal and external threats cannot disparage the integrity of the data. Therefore, monitoring CED protections regularly will help businesses to form an adequate audit trail. 

Performing both the internal and the external vulnerability check verifies the system remains secure.  Monitoring will build merchant confidence that the integrity of the information cannot devalue either internally or externally. The monitoring should also include all business vendors. 

How to ease the burden of PCI DSS compliance

  • Use third-party compliance tools which are easy to understand and manipulate. Such platforms should surface the compliance challenges and review control status.
  • Secondly, invest in a software that offers timely, updated, monitoring insights; allowing the business to quickly manage the dynamics of the risks and vulnerabilities facing it.

The process of attaining PCI compliance is intricate and can seem like an overwhelming list of demands. Nevertheless, it is ultimately what will make the difference between a cyber-threat that sinks a business or a failed cyber-attack. No matter which stage an ecommerce merchant is at in their PCI compliance journey, a reference to steer in the right direction is always a valuable asset.  


Guest Contributor: Ken Lynch is an enterprise software startup veteran and Founder of Reciprocity.