A Secure Path to PCI Avoidance

David Jones · Mar 14, 2016 · 7 min read · Share:

A Secure Path to PCI Avoidance
Illustration by Emily Carlton

PCI compliance is a security standard designed to keep credit card information safe and prevent fraud. The Payment Card Industry Data Security Standard (PCI DSS) applies to companies of any size that accept credit card payments.

The problem is compliance can be difficult to achieve and hard to maintain. If your site doesn’t meet the current standard you can be subject to large fines or denied the ability to process credit card payments.

Your choice of payment gateway is the single biggest factor in determining the burden of PCI compliance on your business.

The good news is an informed selection can mitigate of these concerns.


The PCI Compliance Burden

PCI DSS has a large scope. It's extremely specific and onerous. Any computer that comes in contact with cardholder data is relevant.

Self-Assessment Questionnaire

In attempting to achieve compliance you will need to complete a Self-Assessment Questionnaire (SAQ). There are different types ranging from A to D (the most stringent).

You must complete and submit your questionnaire to your merchant bank annually. If you're not compliant you'll be required to develop and submit a plan to resolve any issues, along with time frames.

Application and Network Security Scan

A regular security scan of your store and network will be conducted. This essentially runs a set of heuristics/rules that scan for red flags. If there are too many, or any that are too severe, action must be taken to move back into compliance. This must be done by an authorized scanning vendor and the report or certificate of compliance submitted to your merchant bank on a regular basis.

Data Center Compliance

You must also make sure that the data center your site is hosted with is compliant. Amazon AWS is extremely good in this regard.


When people ask us about becoming PCI compliant, we prefer to flip the question. What can we do about PCI avoidance?

Our clients are often able to completely avoid PCI compliance. So you’re probably wondering how can you sidestep much of this burden? Before I tell you, let’s first understand how PCI compliance came about from a practical perspective.

How Online Payments Evolved

Let’s consider four solutions for implementing payments on your store.

Solution 1: The Simplest Thing Possible

Insecure Payment Implementation

In the early days of eCommerce you would often see solutions like this. From the developer standpoint it’s the easiest solution you could implement with traditional payment providers.

Credit details are stored in your database like everything else. You contact the payment provider with those card details and get a response. You don’t bother setting up HTTPS to encrypt the transmission from the browser to your server.

It’s worth noting that this flow is good in terms of minimizing developer time. It’s also good for the user because they stay on your site throughout the process.

However the issue with this solution is it's highly unsecure. Someone could intercept this information when it is transmitted or steal all the unencrypted credit card information stored in your database.

Solution 2: Payment Provider Hosted Payment Page

Payment Provider Hosted Payment Page

In this solution, you send your customer to a payment provider's hosted payment page. The customer enters their information, it’s sent encrypted to the payment provider for processing.

Payment providers love this solution. It allows them to have full control and confidence that credit card data is secure all along the way. There's very little risk for the store owner too.

While this option is more secure, it forces your customers down a strange path. One moment they’re on your site, the next they’re on another site (that doesn’t look like the page they came from) and they’re asked to enter payment information. This disconnect will negatively impact your conversion rate.

Some payment providers try to reduce this confusion by allowing the store owner to customize the header and footer of the payment page to make it feel like you’re still on the original store website. Ultimately though this is just a band-aid.

Solution 3: PCI Compliance

PCI Compliance

With this solution credit card data is encrypted during every step of transmission and storage.

This solution has a nice user flow and is secure but as the store owner you are wholly responsible for PCI compliance. You will need to be competent with encryption, patches, server access and know how to respond to any incidents.

Solution 4: PCI Avoidance (recommended)

Payment Processing without PCI Compliance

PCI avoidance is achieved by sending customer’s credit card data directly to the payment provider. A token, (not the actual credit card data) is then stored in your database and a payment accepted message is sent back to the customer.

If someone where to get hold of the credit card token, they are not able to extract credit card data from it.

While being secure and minimising our PCI burden, we’ve also given the customer a better user experience by staying on your site at all times.

As of April 2015, the PCI DSS 3.1 standard came into effect which requires you fill out a self assessment questionaire. However, payment providers such as Stripe allow you to simply download pre-filled doucments which makes it simple for store owners.

Conclusion

Use a payment provider that allows you to offer both a great user experience and minimize the need for you to be PCI compliant.

If your store is running on Spree Commerce or Solidus, you’ll be using the Active Merchant library to process payments. Payment processers such as Stripe and Braintree are compatible with Active Merchant and offer solutions that allow you to significantly lower your PCI burden.

Outsourcing much of the PCI burden to your payment provider allows you to focus on your business and rest easy knowing your site is secure and your customers have a smooth and seamless experience.


Join The Conversation

Share and start a conversation about this post: