PCI Compliance Demystified
PCI compliance is a topic that some Web developers and ecommerce companies use to hard-sell potential clients. PCI compliance is often portrayed as a kind of complex, labyrinthal process that needs close Web-developer supervision. Well, that’s not usually true. In this post, we’ll try to simplify the process and its steps. First point: As long as your online business is doing less than one million transactions a year (not dollars, but actual transactions), you can easily achieve PCI compliance.
Please see this link, for a quick overview:
A company that does less than one million transactions but more than 20,000 is considered a “Level 3” merchant. For such companies, PCI compliance involves self monitoring and doing a scan. The “PCI Council” allows Level 3 companies to complete a self-assessment questionnaire (SAQ). Quartly PCI scans are also required, but are automated (you sign up to a scanning service and can usually forget about it).
Trust Guard is one company that provides PCI scans. There are many others. Here’s a list of approved scanners:
PCI compliance relates to storing credit cards. Most ecommerce websites don’t need to store credit cards and can relegate credit-card security issues to their gateway (such as Authorize.net or Paypal). These gateway companies have invested millions of dollars into a secure PCI-compliant infrastructure so that merchants don’t need to worry about it.
If your online business does less than 20k transactions a year (sales, not dollars), then you don’t even need the PCI scan. Just fill out the self-audit questionnaire. Here’s a link to the questionnaire. It’s like an open-book test:
Now, at the point your company is doing over a million individual transactions a year (not dollars), the credit card companies require a higher level of scrutiny. For many companies, this 1M transactions benchmark is not an immediate concern. When that day comes, a deeper security audit will be needed, but presumably, there will be plenty of revenue to cover it!
One last important point: your hosting companies needs to be up-to-speed on PCI issues, because they play an important role in storing and transporting credit card information. We usually recommend Nexcess.net because they offer PCI compliant hosting specifically optimized for Magento:
Click on Magento hosting in the link above. This will bring you their Magento-overview page, which contains a link to the steps they take to ensure your PCI compliance. We hope this information was helpful.