Creating an E-Commerce Site? Consider PCI Early.

October 23, 2015 • Published Categories Best Practices Tags , , ,

Whenever I type in my credit card number on a website I have never been to before, or hand my card to someone at a small business, I wonder how much thought they have put into being secure and compliant. That’s why the following inquiry from a PCI Compliance Guide reader was a breath of fresh air!

“We are going to be starting an ecommerce store and I’d like some clarification on what we need to do in order to be PCI compliant. The website is built using WordPress with the <plugin name> plugin as the shopping cart feature. The customer will fill out some info but ultimately be redirected to PayPal to process the payment. So I think that makes us SAQ “A” according to the chart. We’ll be a small business merchant level 4 at least this first year. So we complete the SAQ A annually? Where is that? Then what is the attestation of compliance piece? It looks like we wouldn’t have to scan? Please clarify. Thank you!”

Kudos to this e-commerce entrepreneur for thinking about security and compliance, because there is a world of people who don’t!

Planning Ahead Reduces Security Risk

Your website’s (and customers’) security risk is dramatically lowered when you use a completely outsourced payment page like the one from PayPal.  Where the risk still lies is if a bad guy breaks into the website and replaces the link that takes customers to the PayPal page and directs them, instead, to a fake payment page, where he collects credit card number. However, this risk is very, very small, so just make sure that you are hosting your website at a reputable company and that you check it every once in a while to ensure that the link to the payment page is working as you expect.

Planning Ahead Eases PCI Burden

For an ecommerce site where the payment page is completely outsourced, which is exactly what our reader describes above, you would take the SAQ A and no scanning is required. The most important requirements are that you have a security policy and security awareness training in place.

The documents you need are on the PCI Council website:

Look for “SAQ A v3.1” and that includes an attestation section, but there is also a separate “Attestation of Compliance” document called “AOC SAQ A 3.1”.

The good news is that there are only 14 questions on the SAQ A, and no scanning or penetration test is required!

Where things can get MUCH more complicated is when you use PayPal or any other third party provider to embed their payment collection process into your page. This is referred to as direct post or direct payment.  PayPal even mentions that there is a PCI Compliance implication in their Direct Payment instructions, but they don’t elaborate. This change would mean that instead of a 14 question, SAQ A, you would be required to validate with a 139 question SAQ A-EP with quarterly scanning and annual penetration testing required.

My advice: Keep the payment page completely separate, so that the customer is always on a 100% PayPal (or other third party page) when they are entering their credit card information.

Want to learn more about how to reduce your security risk and PCI scope in e-commerce?

Subscribe to this blog for additional tips and webinar announcements.

Leave a Comment