This guide is based on our in-depth research into PCI Compliance. It is as accurate as possible, but please seek a second opinion (and let us know the result) if anything doesn't sound right. We've put the summary first in case you just need the essentials.
Being PCI compliant has two parts: a questionnaire and a software security scan. Use the table below to figure out if and what you need to worry about:
|Where you process payments||Questionnaire||Software scan||Approx cost|
|Website using Google Checkout, NoChex or PayPal without the virtual terminal||no||no||n/a|
|Website using SagePay or WorldPay or similar without the virtual terminal||yes (A)||no||£100/year|
|Website which takes card details itself (Stockashops never do this)||yes (D)||yes, on your website||£500+/year|
|Dialup telephone terminal in your shop or office, but no internal database of card numbers||yes (B)||no||£100/year|
|Virtual terminal (including PayPal's or SagePay's) in your shop or office, where you type card numbers into a computer connected to the Internet, but no internal database of card numbers||yes (C)||yes, on your shop or office||£500/year|
|Internet connected POS system in your shop or office, but no internal database of card numbers||yes (C)||yes, on your shop or office||£500/year|
|Any company with a database of card numbers on a computer in their shop or office||yes (D)||yes, on your shop or office||£700+/year|
|Over 6 million transactions per year no matter what you answer above||yes, by a Qualified Security Assessor||yes||don't know|
In summary, if you only have a Stockashop (or other website) which takes payment using PayPal or Google Checkout, you do not need to worry about PCI compliance. If you have a website with SagePay or WorldPay without a virtual terminal, then fill in Self Assessment Questionnaire A and the Attestation of Compliance A and send it to your acquirer (Streamline, etc). If you only have a dialup terminal in your shop, then fill in SAQ B and Attestation B. If you would like the least hassle, or you use a virtual termainal, or you keep a database of customer card numbers, then it's easiest to find a company to do it for you and pay £10 to £200 or more depending on the complexity. All of this is explained below.
The Payment Card Industry (PCI) Security Standards Council is an organisation formed by major credit card companies to create some common security standards to prevent fraud. The PCI Data Security Standard (PCI DSS) is the confusing set of requirements and rules they've produced.
PCI Compliance is required for any company which sees, processes, holds or handles debit or credit card details in an electronic form, which could apply to your website, your retail shop and/or your office. In practice, this means any company which has a merchant bank account.
This applies if you take payment by card in your shop, or over the phone, or using a virtual terminal, or on your website using SagePay or WorldPay. If you take payment on your website using PayPal or Google Checkout, then the answer is no, as you don't have a real merchant bank account (see below).
When it is time to take payment, many ecommerce sites redirect their customers to some other website - known as a payment gateway, like PayPal or SagePay. The payment gateways ask for the card information and take the payment, and then put the money in your account.
PayPal, NoChex and Google Checkout do this in a fundamentally different way than most everyone else. They process the card payment themselves, and then keep the money in their own bank accounts, and transfer it to your bank account at a later time. This service usually has no monthly fee but a high transaction cost (such as 20p per transaction plus 3%), and the money is not yours until they give it to you. PayPal in particular has received a lot of criticism for how and when it handles money on your behalf (see this site, though it does heavily plug it's own alternative).
Unlike them, SagePay, WorldPay, Barclays ePDQ and many others make you sign up for a merchant bank account with a separate company first, which is different from a normal business bank account, and is harder to get. When your customers pay for an order on your website, SagePay and WorldPay are just middle men, and the money goes straight into your account. This service usually costs about £20/month but with no transaction fees (for the first 1000 transactions or so, and about 10p/transaction after that)..
Note that PayPal and NoChex both have something called a "merchant account" which gives you a "merchant ID", but it's not the same as a real merchant bank account as explained above.
Because of this major difference in who actually receives the money from your customers' cards, websites using PayPal do not have to be PCI Compliant, but websites using a merchant bank account do.
Also note that PCI Compliance companies will happily take your money (via questionnaire A) if you only sell through PayPal or similar, even though PayPal says that you don't need to worry about it. It is interesting that PayPal don't actually state that you "don't need to worry about PCI Compliance" only that you "won’t need to worry about protecting stored cardholder data". Perhaps they're leaving the door open for PCI Compliance companies (or perhaps we're wrong about it, or perhaps PayPal doesn't know itself).
Virtual terminals are websites (provided by payment gateways like PayPal or SagePay) where you can go to, login, enter a customer's card details and an amount and receive their payment.
If you use a virtual terminal (even PayPal's) then you need to be PCI Compliant, because you have to take customers' card details (maybe by phone or post) and type them into a website. Note however that it is not your website that needs to be compliant, but your shop, office or home or wherever you use the terminal.
This is because theoretically anybody connected to your network could snoop and steal those details as you are typing them. Your whole shop or office must therefore be scanned to make sure it meets the PCI security standards. Most shop/office networks connect to the Internet in just one place, so scanning the entry point of the network (your broadband connection) is sufficient.
This means that if you use SagePay's virtual terminal, you need to fill in questionnaire C instead of A. However, it looks like the virtual terminal is included for free. So we're not sure if you have to just promise not to use it, or actually exclude it from your SagePay package in order to fill in the easier and cheaper A instead of C.
SagePay (and other companies) advertise that you can use their virtual terminal from any web browser in the world. However, the PCI requirements imply that anywhere you use the virtual terminal must be scanned and secured (at a potential cost of about £100 per network per year). So this seems irresponsible of SagePay, and we would advise that you use virtual terminals in as few places as possible (eg only from your office, not at home or conferences, and especially not from Internet cafes).
SagePay does have a PCI pricing page from £72/year but it is not clear whether this price covers the virtual terminal. The price of £100 above comes from the $139 quoted by Security Metrics to certify a PayPal virtual terminal.
PCI Compliance has two parts: a questionnaire about how you protect the card data you handle, and sometimes a software scan on your website, office and/or shop to make sure it is secure. The questionnaire and scan basically ensure you meet the list of PCI requirements, which include things like having a secure network, regular testing and a security policy.
The questionnaire has to be filled in once a year and sent your "acquirer" (the company which provides your merchant bank account - such as Streamline or HSBC merchant services). The scan should be done quarterly by an Approved Scanning Vendor (ASV) and is usually fully automated. Use the table at the top to determine what you need to do:
If you process less than six million transactions per year, you can fill out the questionnaire yourself (along with an Attestation of Compliance). Self Assessment Questionnaires are available from the PCI website as are Attestations of Compliance.
There are four different questionnaires (A, B, C and D) depending on if and where you store the credit card details you process. A is for companies with a merchant account but who never see the card details themselves. B is for shops and offices with imprint machines or standalone dialup terminals (not connected to the internet). C is for shops and offices with POS (Point of Sale) systems connected to the Internet (or virtual terminals), and D is for everyone else (those who do have a database of card details - even if just a spreadsheet on a computer in the back room - writing them down on paper is okay).
If more than one situation applies (A and B, A and C, or B and C), hopefully you can just fill in the highest questionnaire, but we're not certain. You may also see this referred to as the "SAQ Merchant Validation Type". Type 1 uses questionnaire A, type 2 is B for imprint machines, type 3 is B for standalone terminals, type 4 is C and type 5 is D.
You can fill in the questionnaire yourself (called "self-certifying") and send it back to your acquirer along with the Attestation of Compliance. However, it can be difficult to find the exact email address or fax number to send it back to, but they are obligated to accept it, so do persevere. Or you can get a company to do it for you.
We would only recommend doing it yourself if you qualify for questionnaire A or B and like filling in obscure forms. Otherwise it will be less confusing to hire a company (see below).
If you need to have a scan done, you will probably need to pay a company to do it for you (and they should do the questionnaire while they are at it), or you may be able to buy or trial software which does just the scan. You will need to scan every IP address or network which processes card details (such as your office, your shop, maybe your website). Scans must be done quarterly.
PCI Compliance is confusing and there are plenty of companies who will do it for you. Without making a strong recommendation, we have used Security Metrics in the past (visit www.securitymetrics.com and click Enrol Now). The prices above are roughly based on their quotes. SagePay recommends Trustwave and quotes their prices here. We do not sell or endorse any specific PCI related company or software.
These are the kinds of questions a company might ask you when you sign up and/or when you fill in the self assement questionnaire. The questions come mostly from Security Metrics, the answers mostly apply to Stockashops or other websites which take payment through a third party payment gateway like SagePay or WorldPay:
Do you electronically store credit card numbers?
> no - unless you store them on your shop or office computers
What methods do you use to process credit cards?
> e-commerce, and whatever you use to process card numbers in your shop - perhaps a "dial terminal", and perhaps a "virtual terminal" if you use one
Is the receipt and handling of cardholder data performed exclusively by and on the equipment of a PCI-authorized service provider?
> yes - by someone like PayPal or SagePay for your website or virtual terminal, and most likely by someone PCI -authorized for your shop terminal
How many external IP addresses do you have?
> each shop or office where card details are processed on a computer (using the virtual terminal) or other device (electronic Point of Sale system) connected to the Internet counts as one, but only count your website if it takes card details directly (not if it uses SagePay, WorldPay or another payment gateway)
Who is your acquirer?
> This is your acquiring bank or merchant processor, the company that provides your merchant bank account or Internet Merchant Account to process your customers' card details - such as Streamline, HSBC Merchant Services, or PayPal (if you use their virtual terminal). It is not SagePay - it is the company which provides the account where SagePay deposits your money after an online sale.
Who provides my payment gateway
> PayPal, SagePay, WorldPay, NoChex or whoever else you use on your website
Who is the web host?
> For Stockashops, this is Rackspace. Otherwise, it is however you pay your hosting bill to (unless you use a hosted solution like Stockashop, in which case its however they pay their hosting bill to)
Who provides the shopping cart?
> For Stockashop, this is Stockashop. Otherwise it's the software you use to manage the products on your site - maybe JShop, Magento, ZenCart, OsCommerce, or just bespoke.
Is your hosting co-located?
> For Stockashop, yes - our server is located in Rackspace's data centres. This refers (we think) to whether your website is on a server sitting in your office, or in a big data centre run by a hosting company.
What is your point of sale hardware and software?
> The hardware and software you use in your shop's till.
After you've signed up with a company, they will run an automated scan (if needed) over your website and/or home/office, and provide a link for you to fill in the questionnaire online. You'll have to pass the scan and complete the questionnaire to become compliant.
The PCI scan can take several hours. At the end of it, you'll receive a report (by email or by logging in) telling you what's wrong. The scan looks for all the software it can find on your server and checks for vulnerabilities. Below are some errors we've come across and how to fix them.
Common errors on secure https web servers:
The remote service supports the use of weak/medium SSL ciphers. And/or the remote service accepts connections encrypted using SSL 2.0
For Apache web servers, you'll need to add lines like this to httpd.conf or ssl.conf (or /usr/local/psa/admin/conf/httpsd.conf or httpsd.custom.include on Plesk):
SSLProtocol -ALL +SSLv3 +TLSv1
For Plesk 9, instead add this line to /etc/sw-cp-server/applications.d/plesk.conf between inlcude_shell and index-file.names:
ssl.cipher-list = “TLSv1+HIGH !SSLv2 RC4+MEDIUM !aNULL !eNULL !3DES @STRENGTH”
To test if it worked you can use an ssh terminal to run a command like this (which will fail immediately if SSL2 is properly disabled):
openssl s_client -connect localhost:443 -ssl2
To test for medium strength ciphers, see which ciphers are available and then try using all of them:
openssl ciphers -v LOW
openssl s_client -connect www.beadsunlimited.co.uk:443 -cipher CIPHER
We will add more errors and solutions here as we come across them.
If you have a merchant bank account, your bank may eventually start fining you £10-20 per month until you are compliant. And (from some stories on the Internet) the bank may claim that you can't certify yourself, that you have to use a company. This is not true - they have to accept self-certification if you qualify for it (less than 6 millions transaction per year).
And if your shop, office or card-storing website is hacked, and card details are stolen, you may be liable for crippling fines, and then paying for full PCI Compliance (as if you had more than 6 million transactions per year) in order to take cards safely again.
Stockashop is an affordable and easy-to-use ecommerce and content managed website solution. We have researched PCI compliance mainly so that we can explain it definitively to our existing clients, but also in the hope of gaining new clients by showing how thorough and conscientious we are. Please read about our site in a day and ecommerce solutions or contact us with any queries. If you like our writing and research style, you might also like our content management system overview.
A guide to some potentially confusing terms:
There are lots of links within this page to useful pages and resources, but here are some more which may not have been included: