Illustration by Emily Carlton
PCI compliance is a security standard designed to keep credit card information safe and prevent fraud. The Payment Card Industry Data Security Standard (PCI DSS) applies to companies of any size that accept credit card payments.
The problem is compliance can be difficult to achieve and hard to maintain. If your site doesn’t meet the current standard you can be subject to large fines or denied the ability to process credit card payments.
Your choice of payment gateway is the single biggest factor in determining the burden of PCI compliance on your business.
The good news is an informed selection can mitigate of these concerns.
The PCI Compliance Burden
PCI DSS has a large scope. It's extremely specific and onerous. Any computer that comes in contact with cardholder data is relevant.
In attempting to achieve compliance you will need to complete a Self-Assessment Questionnaire (SAQ). There are different types ranging from A to D (the most stringent).
You must complete and submit your questionnaire to your merchant bank annually. If you're not compliant you'll be required to develop and submit a plan to resolve any issues, along with time frames.
Application and Network Security Scan
A regular security scan of your store and network will be conducted. This essentially runs a set of heuristics/rules that scan for red flags. If there are too many, or any that are too severe, action must be taken to move back into compliance. This must be done by an authorized scanning vendor and the report or certificate of compliance submitted to your merchant bank on a regular basis.
Data Center Compliance
You must also make sure that the data center your site is hosted with is compliant. Amazon AWS is extremely good in this regard.
When people ask us about becoming PCI compliant, we prefer to flip the question. What can we do about PCI avoidance?
Our clients are often able to completely avoid PCI compliance. So you’re probably wondering how can you sidestep much of this burden? Before I tell you, let’s first understand how PCI compliance came about from a practical perspective.
How Online Payments Evolved
Let’s consider four solutions for implementing payments on your store.
Solution 1: The Simplest Thing Possible
In the early days of eCommerce you would often see solutions like this. From the developer standpoint it’s the easiest solution you could implement with traditional payment providers.
Credit details are stored in your database like everything else. You contact the payment provider with those card details and get a response. You don’t bother setting up HTTPS to encrypt the transmission from the browser to your server.
It’s worth noting that this flow is good in terms of minimizing developer time. It’s also good for the user because they stay on your site throughout the process.
However the issue with this solution is it's highly unsecure. Someone could intercept this information when it is transmitted or steal all the unencrypted credit card information stored in your database.
Solution 2: Payment Provider Hosted Payment Page
In this solution, you send your customer to a payment provider's hosted payment page. The customer enters their information, it’s sent encrypted to the payment provider for processing.
Payment providers love this solution. It allows them to have full control and confidence that credit card data is secure all along the way. There's very little risk for the store owner too.
While this option is more secure, it forces your customers down a strange path. One moment they’re on your site, the next they’re on another site (that doesn’t look like the page they came from) and they’re asked to enter payment information. This disconnect will negatively impact your conversion rate.
Some payment providers try to reduce this confusion by allowing the store owner to customize the header and footer of the payment page to make it feel like you’re still on the original store website. Ultimately though this is just a band-aid.
Solution 3: PCI Compliance
With this solution credit card data is encrypted during every step of transmission and storage.
This solution has a nice user flow and is secure but as the store owner you are wholly responsible for PCI compliance. You will need to be competent with encryption, patches, server access and know how to respond to any incidents.
Solution 4: PCI Avoidance (recommended)
PCI avoidance is achieved by sending customer’s credit card data directly to the payment provider. A token, (not the actual credit card data) is then stored in your database and a payment accepted message is sent back to the customer.
If someone where to get hold of the credit card token, they are not able to extract credit card data from it.
While being secure and minimising our PCI burden, we’ve also given the customer a better user experience by staying on your site at all times.
As of April 2015, the PCI DSS 3.1 standard came into effect which requires you fill out a self assessment questionaire. However, payment providers such as Stripe allow you to simply download pre-filled doucments which makes it simple for store owners.
Use a payment provider that allows you to offer both a great user experience and minimize the need for you to be PCI compliant.
If your store is running on Spree Commerce or Solidus, you’ll be using the Active Merchant library to process payments. Payment processers such as Stripe and Braintree are compatible with Active Merchant and offer solutions that allow you to significantly lower your PCI burden.
Outsourcing much of the PCI burden to your payment provider allows you to focus on your business and rest easy knowing your site is secure and your customers have a smooth and seamless experience.
Let's work together
Tell us about your project and we'll get back to you shortly.
Join The Conversation
More On The Blog
2022 ECommerce SEO Checklist: Ranking Factors That Will Matter
It’s no secret that any successful eCommerce store should stay updated with all SEO best practices. We have seen it happen with many of our clients and others in the industry, as lead conversion and mobile revenue are directly tied to your store’s Google rankings. To help you get an in-depth overview of how to rank your store on Google in the future, we have put together a 2022 eCommerce SEO checklist.
Sol Dieguez — Jan 19, 2022
Solidus vs Spree: Which Is Better For Your eCommerce? - 2022 Update
At Resolve Digital, we have clients who prefer to work with both of these platforms. Thanks to years of experience, our team knows the ins and outs of Spree eCommerce and the newer Solidus framework. To help you decide which one is best suited for your company’s online retail needs, we have put together a comparative article explaining the differences between them.
Sol Dieguez — Jan 12, 2022
What's New In eCommerce Trends For 2022
The COVID-19 pandemic accelerated the mainstream use of online retail and helped to position several eCommerce stores within the market. This brought drastic changes to the once usual customer habits and eCommerce global trends. That’s why you need to keep an eye on the latest shifts of the market and optimize your company’s store according to the eCommerce trends for 2022.
Sol Dieguez — Jan 6, 2022