Mar 04

What You Need to Know about PCI

| More

—- Who and What is PCI?—-

PCI” is a term that’s coming up more and more in 2011 as banks and credit card processors get more serious about credit card data security.

Having just completed our PCI Level 1 audit earlier this year, here are some things we learned that may help you achieve compliance for your business.

Sorry this post got so darned long, but it’s worth reading and it’s a lot shorter than trying to figure this stuff out from scratch!

The acronym “PCI” stands for “Payment Card Industry.” The full name of the organization is “The PCI Security Standards Council,” which is an organization founded by American Express, Discover, JCB International, MasterCard, and Visa. Their website is here.

For the sake of brevity, I’ll refer to the organization and their various standards simply as “PCI” in this post.

—- Do You Need to Comply with PCI Standards?—-

Everyone who accepts credit cards must be compliant with PCI data security standards. But the process of validating your company’s compliance varies widely, from easy to hard, depending on your type & size of business.

—- The PCI-DSS Standard—-

PCI defined a number of security standards, but the one that’s relevant for Chargify and our merchants is called “PCI-DSS,” which stands for “PCI Data Security Standard.”

PCI-DSS covers various things about your business, like:

  • Handling of data by your computer systems.
  • Separation of program execution and data storage.
  • Guarding against employee theft of data.
  • Guarding against internet-based intrusions.
  • Proper disposal of hard drives.
  • Tracking of human access to hardware.
  • Ensuring that software developers cannot directly change production systems without management oversight.
  • And much more.

If you’d like to read the actual PCI-DSS specifications, they are available: here.

If you’re a relatively small business, then you probably won’t need to read the actual PCI-DSS specification. You’ll just need to do a self-assessment. Read on…

—- PCI Levels—-

PCI divides merchants into 4 Levels.

Level 1

  • Chargify is this level.
  • More than 6,000,000 Visa or MasterCard transactions per year.
  • More than 2,500,000 American Express transactions per year.
  • Any merchant that Visa or MasterCard determines should meet the Level 1 merchant requirements to minimize risk to the system.
  • Any MasterCard merchant who had account data compromised in the previous year.

Level 2

  • 1,000,000 to 6,000,000 Visa or MasterCard transactions per year.
  • 50,000 and 2,500,000 American Express transactions per year.

Level 3

  • 20,000 to 1,000,000 Visa or MasterCard transactions per year.
  • 50,000 American Express transactions per year.

Level 4

  • All other merchants.
  • Note: American Express does not use level 4.

—- What Does My PCI Level Mean for Me?—-

Look at the requirements above and see which PCI Level is right for your business.

  • If you’re Level 1 or 2, then you need to hire an auditor to verify your compliance with the PCI-DSS Standard.
  • If you’re Level 3 or 4, then you can do your own Self-Assessment of compliance. No auditors.

It took Chargify and our parent company, Grasshopper Group, 9 months to get through the Level 1 process and have everything verified by an outside auditor. We had to go for Level 1, because we support the needs of hundreds of merchants.

The PCI folks are not trying to shut down small merchants, but they do want you to figure out if you meet the PCI-DSS security requirements. That requires an auditor (if you’re relatively big) or self-assessment (if you’re relatively small).

If you’re a small business and you rely on someone like Chargify for all of your credit card data operations, then your life is a lot easier!

Having run a number of busineses, I must say that paying Chargify’s monthly fees to get great billing software and cover 90% of the PCI requirements, is a total win!

—- Self-Assessment for Merchants in Levels 3 & 4—-

Most of our merchants are small in the eyes of the PCI folks.

PCI has developed a set of Self-Assessment Questionnaires that can be used by Level 3 and Level 4 merchants. These questionnaires are referred to as “SAQs”. They help you figure out if you’re compliant with the PCI-DSS standards.

Because you’re a relatively small merchant, you get to assess yourself!

There are 4 different SAQ forms. Use the right one for your type of business:

SAQ A

Applies if: All cardholder data functions are outsourced to someone like Chargify. No electronic storage, no processing, no transmission of cardholder data by the merchant.

Comments:

  • This is the proper questionnaire for merchants who use Chargify hosted pages for all collection and updating of their customers’ card data. You will be asked to confirm that Chargify is PCI compliant, and you can do this by checking our Certificate of Compliance, located here.
  • This is not the proper questionnaire if you collect card data on your own SSL-secure web page and then transmit the data to Chargify via our API.

SAQ B

Applies if: Merchant only uses physical card imprint machines or stand-alone dial-out terminals. No electronic cardholder data storage.

Comments:

  • No internet connection with regard to card data, which pretty much eliminates all Chargify merchants.

SAQ C

Applies if: Payment application connected to the Internet. No electronic cardholder data storage.

Comments:

  • This is the proper questionnaire if you collect card data on your own SSL-secure web page and then transmit the data to Chargify via our API.
  • This questionnaire is pretty hard to fulfill. It covers a lot of stuff that most of our merchants won’t have any control over, especially if they use cloud-based services for hosting and other functions.
  • We have a feature coming out soon that will help a lot! You will be able to keep your application and user experience pretty much as-is, but you’ll qualify for the much easier SAQ A.
  • Please keep up with developments at http://changelog.chargify.com or @Chargify on Twitter.

Many companies are out of compliance here. They are doing what they think is okay (and was okay until recently). They’re using an SSL-secure web page to collect and display credit card data, and they’re transmitting that data to their payment gateway or to a service like Chargify. The PCI folks don’t want to bring the whole industry to a halt, but they do want merchants to move toward compliance. That’s why this topic is coming up more and more.

SAQ D

Applies if: All other merchants not covered above, and service providers.

Comments:

  • This questionnaire applies to oddball merchants, and to companies like Chargify, that provide services to others.

—- Where Do You Get the SAQ Forms?—-

Download the SAQ forms directly from the PCI site.

—- Completing & Submitting Your SAQ Form—-

Here’s a quick rundown of the SAQ sections and some tips along the way:

  • Part 1a is your business info. Pretty easy.
  • Part 1b is your “assessor” info. This only applies if you need to hire an outside PCI company to asses your progress on fixing items of non-compliance. You should not need an assessor if you pass the first set of questions in Section 2b (basic eligibility questions).
  • If you get through Section 2b (basic eligibility) okay, then you’re “compliant” and you don’t need to fill out Section 4.
  • Of course, if you didn’t pass Section 2b, then you’ve got a bit more work ahead on Section 4.
  • Section 3 is easy stuff, like your signature.
  • Section 4 is your “Action Plan for Non-Compliant Status” and contains a lot of questions, plus other sections after it that you’ll have to fill out.

When you’re done, you’re supposed to submit your completed SAQ to your “acquirer”, which is the the bank where you have your credit card “merchant account”. This is not your regular checking account. It’s the special “merchant account” that you got so you can process credit cards. Sometimes it comes bundled with your payment gateway.

If you don’t know where to send your completed SAQ form, try to contact whoever got you your payment gateway or merchant account, or a reseller who may have sold you both.

Sometimes, your merchant account provider will ask for your SAQ, so it will be clear who needs it.

Most merchants have never submitted an SAQ, and most acquirers aren’t yet asking, but this will get stricter as everyone in the chain gets on board.

—- More Info & Links—-

Check out our related post, What Every Small Business Needs to Know About PCI Compliance.

For details regarding the Visa PCI Level criteria & validation requirements, please look here.

For details regarding the MasterCard PCI Level criteria & validation requirements, please look here.

For details regarding the American Express PCI Level criteria & validation requirements, please look here.

Excellent post/article and very timely (for us).

We just were asked by our acquirer last week to complete PCI compliance.

We use your hosted pages and planned to migrate to our own form and Chargify API later this month. But after reading this we'll hold off for now to ensure we pass our certifications.

When we change to our forms do we have to re-certify?

Really appreciate you taking the time to outline this an easy to understand format.
By Steven on March 15, 2011 at 10:09 AM
Commenting is not available in this weblog entry.