<< Back to blogs

PCI DSS

Dec. 17, 2015

If you process payments online, you need to read this.

One of the biggest challenges to overcome regarding PCI DSS compliance is that it applies to anyone operating an online system that processes card payments.  The increase in businesses trading on platforms like etsy and shopify does move the responsibility onto the platform - but for businesses who are running self-hosted ecommerce sites, or setup custom payment gateway integrations - PCI DSS is your responsibility.

What is PCI DSS?

Payment Card Industry Data Security Standard (PCI DSS) was setup by American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. to help ensure a base level of security adherence when allowing merchants to trade online. They formed the PCI Security Standards Council and are now on version 3.1 of the standard.  The Council publish guidance to help assist companies to become compliant, however, for a more human-friendly experience the PCI Compliance Guide is a goldmine of useful information.

Compliance levels

PCI DSS varies in its demands based on the data the merchant stores (ranging from simply passing through payments to a third party website, through to storing entire card information and CVV numbers for recurring payments).  As a merchant you may initially qualify at a particular level, but should you suffer a breach then your required level of attainment can be increased at the discretion of your acquiring bank.  This is one of the many reasons it's important to be ahead of the game on PCI; the simplest questionnaire is 20 simple questions, whereas moving up to Level 1 will incur you a 100 page audit document and the appointment of external auditors to review your infrastructure & processes.

Self assessment

Many small merchants qualify as being able to self-assess their compliance.  Whilst this removes the requirement for an external auditor, it can also prove a daunting task for an organisation without any information security experience.  Lockran can help provide assurances that your self-assessment processes are correct, and also liaise with an approved QSA should further assistance be required.  We also help review your system architecture to make sure that your PCI compliance is limited to the smallest footprint.