A topic that has been coming up a lot recently is one of PCI Compliance and when is it required and how can you satisfy it. It can be quite confusing to get your head around what it is and what the actual requirements are, for Charities and Fundraisers especailly, so I thought I might share my thoughts on the topic to try to simplify it so hopefully everyone can get a clearer picture on what it is and how to determine what your obligations are.
So what is PCI Compliance?
Essentially PCI compliance is a set of security standards that was created specifically for the card payments industry to help ensure that any merchant accepting credit card information abides by a certain set of guidelines in order to better protect customer's credit card data.
It applies to anyone accepting and/or storing credit card information, regardless of how you accept it and there are different guidelines that apply to each type of merchant and at different levels of transactions. For example vendor machines have their own set of guidelines as do POS systems as do e-commerce websites.
PCI Compliance in Australia has so far not been that strictly adhered to or policed but with e-commerce being as big as it is, this is something that is changing and now we are seeing a lot more emphasis on showing PCI compliance.
Who needs to comply?
If you answer yes to any of the questions below then you may need to at some point prove that you are PCI compliant to either your bank or payment provider.
- Do you accept payments for any goods or services using a credit card, either online, in stores or via the phone?
- Do you store credit card information anywhere in your organisation either electronically or paper backups?
- Do you transmit any credit card details to any 3rd party organisation such as a payment gateway?
As I said above, if either of these relate to you then at some point you may need to prove compliance. I say this because there is no legal requirement as of yet that requires online merchants to be compliant, but it's good practice to go through the steps to see exactly what your bank expects of you, and if you are found to be non-complaint and something goes wrong on your website then there can be repercussion.
What happens if we don't comply?
I guess from a web users standpoint, showing that you are PCI compliant ensures that you take all precautions to protect your customers credit card data.
From a legal standpoint, there are possible penalties that can be imposed from the banks if you are found not to be compliant and you do suffer the misfortune of having your customer's credit card data stolen. You might be blacklisted from accepting payments until you can prove your compliance or there could be a fine imposed or increased fees.
If you are ever found to be non-compliant and a bank decides to require you to prove that you comply, the that in itself can be quite a costly excericise just getting someone to carry out the auditing.
How do you become compliant?
There are 3 different levels of PCI compliance, with each level relating to how many transactions you accept per year.
Level 1
For organisations that accept over 6 million transactions per year they need to comply with level 1 PCI compliance which is a very strict set of guidelines that can only be met by annual auditing from an approved auditor. Typically this would be a payment gateway that has to comply at this level and in fact if your payment gateway is not level 1 PCI compliant then you should probably be choosing a different gateway.
Level 2
For organisations that accept between 1 million and 6 million transactions per year they need to comply with a slightly lower level of compliance which again is still quite strict and usually requires annual auditing.
Level 3
For the majority of organisations we work with that accept credit card information such as e-commerce websites, fundraising websites, charitable donations taken over the phone or via a website, the PCI requirement is the 3rd or lowest level of compliance which is often achieved simply by completing a Self Assessment Form.
Understanding Self Assessment
As I mentioned above, for most online merchants it is actually quite straight forward to show compliance simply by completing one of the self assessment forms, which really are quite straight forward and just common sense in most cases.
If you head over to the PCI Security Standards website, there you will find a bunch of different self assessment forms and which one you have to comply with comes down to how you accept and transmit credit card information.
Let's just look at a typical ecommerce website that accepts credit card information online, since that is what we do most here at Funraisin, to work out which one might apply to your website.
How do you actually process the credit card data?
First of all you need to understand how you accept, transmit and process the credit card data. Is your website talking direct to a Bank such as ANZ eGate? or do you use a 3rd party gateway? And if you use a 3rd party gateway then are they themselves PCI level 1 compliant?
When integrating a website in with a payment platform there are generally two integration options you can choose from and the 2 Self Assessment forms relate to these integration methods.
Hosted Pages
One option is what they call a Hosted Payment Page whereby the actual web page where the user enters their credit card details into, is hosted by the bank or payment gateway, similarly to how PayPal works. If you use this method of accepting credit card payments then you fall into the lowest of all PCI compliance categories since the risk of having credit card data stolen is at the lowest (providing the payment platform is Level 1 compliant).
If you fall into this category then the Self Assessment form you need to complete is called SAQ A (Card Not Present Merchants).
Merchant Hosted Page
The second option is whereby the form that the user enters their credit card data into is hosted on your wesbite and then the processing of the payment takes place by a bank or 3rd party payment gateway. With this method of integration there is still some risk of credit card data being stolen since it is being entered into a form away from the paymemt platform.
If you fall into this category then the Sell Assessment form you need to complete is called the SAQ A-EP (Partially Outsourced E-commerce Merchants).
Merchant Hosted Form & Client Side Encryption
There are 2 more options which are relatively new and are only offered by some Payment Gateways which lets you still have the payment page on your own website but the form that users enter their credit card into, is either hosted by the Gateway or the fields are completely encrypted by the Gateway.
