Originally published Feb 18, 2018, updated March 24, 2022.
Engaging in B2B eCommerce requires your company to take responsibility for securing the data of others. Leads trust you with their contact information. More importantly, if you take payments online, customers trust you with their credit card or bank account information.
Hackers might not be interested in a simple email address, but credit card numbers and checking account numbers are like catnip to them. That’s why B2B eCommerce brands must comply with a myriad of data security requirements, starting with credit card industry standards surrounding information security.
In this article, you’ll learn about PCI DSS from the standards to the responsibilities and you’ll even get a checklist to help you with compliance. And, if you are an OroCommerce or OroMarketplace user, you’ll find a handy grid to help you understand where Oro helps you with data security and where you are fully responsible.
What is PCI DSS?
The credit card processing industry has an interest in keeping transactions secure. If they lose trust in the security of data, people stop using credit cards, Bitcoin starts looking even better, and the processing and credit card business suffers.
Back in 2004, a consortium of credit card companies including Visa, MasterCard, Discover Financial Services, JCB International, and American Express along with the Payment Card Industry (PCI) Security Standards Council set standards for keeping data secure by any company that processed credit cards. These standards are referred to as Data Security Standards (DSS) and they apply to companies that process face-to-face transactions as well as eCommerce businesses.
The goal of PCI DSS is to securely handle the payment information of buyers from the major credit card companies so that everyone can maintain trust in the credit card processing system.
The standards address six broad data security goals and break them down into 12 requirements. These requirements create more than 250 separate rules that businesses holding payment card information will need to follow.
Is PCI Compliance for eCommerce Sites Mandatory?
Yes, every company that accepts credit card payments must prove their compliance in one of the following ways: either a Self-Assessment Questionnaire or by Qualified Security Assessors. It doesn’t matter if you take credit cards over the internet, over the phone, or in card-present transactions. Every company that wants to accept debit or credit cards for payment must comply.
PCI DSS compliance levels
Your compliance level is determined by the number of credit card transactions you process a year, not the dollar value of the transactions. So, a company that processes just a few high dollar sales must comply at the same level as a company that processes 10,000 transactions.
Within the levels, you have different compliance requirements depending on how payments are accepted. The requirements for face-to-face, card-present transactions are different than the requirements for PCI-compliant eCommerce. However, when it comes to determining your compliance level, transaction counts are aggregated across all channels.
Level 1 compliance
This is the highest compliance level and applies to companies that process more than six million credit or debit card transactions annually. You must undergo an internal audit once a year that is conducted by an authorized PCI auditor. In addition, an Approved Scanning Vendor (ASV) must conduct a quarterly PCI scan.
Level 2 compliance
This level of compliance applies to companies that process between one and six million credit or debit card transactions each year. These companies must complete a compliance assessment annually using a Self-Assessment Questionnaire (SAQ). they may also be required to perform a quarterly PCI scan.
Level 3 compliance
Companies that process between 20,000 and one million eCommerce transactions each year fall into the Level 3 compliance category. They must complete a yearly compliance assessment using a SAQ. These companies may also be required to undergo a PCI scan once a quarter.
Level 4 compliance
The lowest level of compliance applies to companies that process less than 20,000 eCommerce transactions or less than one million card-present transactions each year. These companies may perform a self-assessment once a year using a SAQ. A quarterly PCI scan may be required quarterly.
What’s New? PCI DSS v4.0 Changes
March 31, 2022, marked a major change in eCommerce PCI DSS compliance. It took three years and input from thousands of companies, but the new compliance standard addresses emerging threats and technologies while recognizing that the security environment has changed.
One thing hasn’t changed, the serious security considerations you face if you store credit card data. So, you’ll always want to start your compliance considerations with whether or not you want to store your customer’s credit card data.
Storing credit card data instantly requires your business to validate against more than 250 data security requirements. If you rely on a credit card processing company such as Fiserv (formally First Data), it is the processor’s duty to secure the credit card data. It is your company’s duty to make sure you do not store, process, or transmit any cardholder data/information on your systems or servers.
How Are PCI Compliance Requirements Categorized and Implemented?
While there are literally hundreds of PCI DSS requirements, eCommerce PCI compliance rules can be classified into three main subgroups:
To ensure the infrastructure is compliant it must be secure enough to store cardholder data. That means it is secured by a firewall and antivirus and malware protection. In addition, none of the system defaults are used on the machines, and the physical and virtual access to the infrastructure is secure, monitored, and logged. If remote access is employed, the access must be encrypted.
The applications used must be hosted on a compliant infrastructure and built in a way that complies with all the requirements. For example, Oro-built applications are in compliance with PCI requirements from the start because they are built with PCI DSS compliance in mind. No matter how transactions are processed by applications, every step that handles cardholder data must be encrypted and secured, especially when any data may potentially be transmitted through open or public networks.
To be PCI compliant, you must create clear information security policies and procedures regarding deployment, working with data, access management, and general data handling. You must also ensure appropriate staff training and regularly test and monitor security systems and processes. This includes managing access to the data with extreme care, using unique IDs with 2-factor authentication, granting access only on a need-to-know basis, and allowing only trained personnel to have access to the sensitive data.
In addition, when integrating your systems with external providers or implementing new solutions, it’s best to choose those compliant with PCI DSS from the start. Otherwise, your compliance work becomes even more complex as you must follow the many additional security requirements related to integration.
How Are Responsibilities Shared for B2B eCommerce Applications?
When you deploy your B2B eCommerce solution on-premise, you take on almost all responsibility for PCI DSS compliance. If you are just getting started with B2B eCommerce, this might seem like an overwhelming task. When you deploy your B2B eCommerce solution in the OroCloud or a private or public cloud, you will share some of the responsibility for PCI DSS compliance.
PCI DSS Compliance in the OroCloud
For those getting started or with limited IT resources, using cloud-based eCommerce allows you to share some of the responsibility for PCI DSS compliance that is related to the eCommerce channel. For example, if OroCommerce or OroMarketplace products are deployed in the OroCloud infrastructure, your business receives a PCI DSS-compliant eCommerce solution with minimal commitment to security on your part. This means that you will get a secure and PCI-compliant infrastructure and will only have to take care of the procedural controls, internal employee training, and policies relating to data security. In moving hosting to the OroCloud, you move over the headaches of PCI DSS compliance.
PCI DSS Compliance in Other Clouds
OroCommerce and OroMarketplace deployed in a non-OroCloud infrastructure still meet the application requirements of PCI DSS for eCommerce. So, you don’t worry about the standards related to applications. However, you will still be responsible for compliance with security standards for the infrastructure, network security, procedures, and policies, as well as staff training. Depending on whether you host in a public Cloud or a private Cloud, the Cloud provider/operator may cover some of the compliance work and responsibilities. PCI DSS compliance is an important consideration when selecting a Cloud to host your eCommerce store, so be sure to include this in your evaluation process.
PCI DSS Compliance On-Premise
When you deploy your OroCommerce or OroMarketplace instance on-premise, you take on most responsibility for PCI DSS eCommerce compliance. OroCommerce and OroMarketplace provide you with secure, PCI DSS-compliant applications. You have the tools necessary to restrict access, record data access, and create unique user identification codes. However, it is up to the integration partner or developer to turn these features on and implement them accordingly.
Simplified PCI DSS Shared Responsibility Matrix for Oro Products
Sometimes a picture is worth 1,000 words. In the case of PCI DSS compliance, a simple chart can save thousands of dollars in fines.
To help you determine the aspects of your B2B eCommerce infrastructure where you should focus your attention and which aspects of compliance Oro covers through Oro products and the OroCloud, we created this chart as a visual aid.
In the far left column, you’ll find each of the 12 main PCI DSS requirements. In the adjacent columns, you’ll see how responsibility is shared in OroCloud-hosted environments and on-premise hosted or other-Cloud hosted environments.
The “+” symbol indicates that the Oro product and the OroCloud are responsible for this requirement and conform to it;
The “-” symbol indicates that with this particular configuration, the Oro product and the OroCloud are not responsible for conformity with this requirement. You retain responsibility for compliance and as such, it is your responsibility to ensure that your infrastructure meets all security requirements.
Where “+/-” is indicated, responsibility is shared. The Oro product and/or OroCloud deployment conforms to the requirement, but there are areas and/or processes that require security by your company.
|#||PCI DSS Requirements||OroCloud-hosted OroCommerce and OroMarketplace PaaS solution||OroCommerce or OroMarketplace on-premise or hosted on a private Cloud|
|1||Install and maintain a firewall configuration that protects cardholder data.||+||–|
|2||Do not use vendor-supplied defaults for system passwords and other security parameters.||+||–|
|3||Protect stored cardholder data.**||+||-/+|
|4||Encrypt transmission of cardholder data across open, public networks.||+||–|
|5||Use and regularly update antivirus software.*||+/-||–|
|6||Develop and maintain secure systems and applications.||+||+|
|7||Restrict access to cardholder data by business need-to-know.**||+/-||-/+|
|8||Assign a unique ID to each person with computer access to the data.***||+/-||-/+|
|9||Restrict physical access to cardholder data.||+||–|
|10||Track and monitor all access to network resources and cardholder data.**||+||-/+|
|11||Regularly test security systems and processes.||+/-||–|
|12||Maintain a policy that addresses information security.||+/-||–|
* For this requirement, Oro is compliant on its part of the OroCommerce and/or OroMarketplace application security. The Client retains responsibility for keeping the equipment and applications they are using up-to-date and secure.
** OroCommerce and OroMarketplace implemented on OroCloud provide all the necessary tools to track and monitor the individuals that access the network as well as cardholder data.
*** Oro does not automatically restrict access or assign unique IDs to the users. OroCommerce and OroMarketplace provide the functionality and tools necessary for the Client to enable this function to fit their needs.
Complying with PCI DSS requirements is much more than just a mere formality. By touting your compliance, you show your customers you care about the security of their data. This promotes loyalty and trust among potential and existing clients. In addition, it’s something your peers and competitors are already doing.
Your eCommerce PCI Compliance Checklist
Still find the 12 high-level requirements, 6 control goal objectives, and 250+ standards confusing and not sure where to start? Take a deep breath and use this checklist to plan your v4.0 compliance effort. If you do not store cardholder data or you use an OroCloud deployment, you’ll be pleased to discover how much of the work has already been done for you.
- Determine which compliance level applies to your company.
- Map the flow and lifecycle of cardholder data within your company and your systems as well as with your partners and third-party vendors.
- Create protocols, policies, and processes for security and compliance and keep them current.
- Appoint a Data Protection Office and define accountability for security and compliance in your company.
- Identify those with access to data and create access controls for both personnel and vendors.
- Complete compliance training for all personnel.
- Perform security systems tests regularly.
- Create a response plan to be executed in the case of a data breach.
- If you store cardholder data, regularly conduct an external security audit to verify the points of access to the data.
- Create and then enforce physical and technical security safeguards.
The time and cost associated with PCI DSS compliance will depend on the size of your company, the number of transactions you process, and your existing commitment to security.
Companies that already have a security culture, where management is invested and committed to high levels of security will find that compliance is less stressful than companies where data security is an afterthought. Using a third-party payment processor to handle and store cardholder data also simplifies compliance responsibilities. Hosting on a PCI DSS compliant Cloud also simplifies compliance.
Achieving PCI Compliance
The Security Standards Council Self-Questionnaire is a great place to start your quest to achieve and maintain PCI compliance.
You can download the Self-Assessment Questionnaire for each of your channels (remember you must comply with rules for your eCommerce, phone sales, and face-to-face sales channels separately) to determine your current compliance level.
The Importance of Your eCommerce Platform
For companies using B2B eCommerce with completely outsourced payment processing, the PCI DSS requirements that refer to the cardholder data environment are still applicable to your website because it provides the URL of the third-party’s payment page/form to customers. Because your eCommerce website impacts how account data is transmitted, even though the website itself does not receive account data, it’s vital to pick an eCommerce platform designed for PCI DSS compliance. PCI DSS application compliance should be one of the criteria used to evaluate your options when selecting your eCommerce platform.
The Importance of Your Integration Partner
When building your eCommerce solution, it’s not enough to select a platform that is built with PCI DSS compliance in mind. You need to work with integration partners that understand the need for data security and the applicable PCI DSS requirements as data flows throughout your applications.
You’ll also want a partner that can help you determine if on-premise deployment is worth the additional security necessary to maintain eCommerce PCI DSS compliance.
If you decide to host off-premise, your integration partner can help you assess hosting alternatives as well. If you opt for cloud deployment, it’s important to select a cloud provider that is ready to help you with PCI DSS compliance.
OroCommerce and OroMarketplace enjoy a large community of qualified integration partners with many successful projects completed. If you need assistance with partner selection, reach out to us.
PCI DSS continues to evolve and change as the need for data security becomes even stronger. When you engage in eCommerce, you take on responsibility for your customer data. Even when data is not stored on your equipment, you are responsible for ensuring it is secure.
When you start by selecting an eCommerce platform that is built from the ground up for PCI DSS compliance, you simplify an already complex regulatory structure. The application should provide data security and offer the tools you need to secure, log, and restrict access.
Working with partners who understand PCI DSS compliance ensures you get off to a good start.
PCI DSS compliance should be a part of every decision made regarding your B2B eCommerce channel. From offering secure products like OroCommerce and OroMarketplace to making available the PCI DSS compliant OroCloud, Oro is committed to helping you maintain compliance.
Questions and Answers
Do I need to be PCI compliant?
Yes. If your company takes credit cards, whether in person, by phone, or through eCommerce channels, you must be PCI DSS compliant. In addition, you must be in compliance with every sales channel you operate.
What is the fine for failure to comply?
Monetary fines for noncompliance are steep. The penalty starts at $5,000 per month and can go as high as $100,000 per month depending on how long the non-compliance lasts. The fines are associated with compliance violations and not data breaches.
What are the 4 PCI DSS Levels?
There are 4 levels of PCI DSS compliance. The levels are based on the number and types of transactions your company processes each year. Level 1 is the highest level and it includes companies that process over 6 million transactions or have had a data breach. Level 2 companies process between 1 million and 6 million transactions each year. Level 3 companies process between 20,000 and 1 million transactions each year. Level 4 is the minimum compliance level and is for companies that process fewer than 20,000 transactions each year.
What is website PCI compliance?
PCI DSS compliance for a website means that the application itself is secure. In addition, the infrastructure that contains the application must be secure. And finally, all processes associated with the website application must be secure. Even if you don’t store credit card information, your website, infrastructure, and applications must all still be secure to meet the standards for website PCI compliance.