What PCI Compliance is and how it affects you
The Payment Card Industry (PCI) which consists of the branded card schemes like Visa and MasterCard came together in around 2003/2004 to formulate a set of standards that merchants that process credit/debit card payments must follow. Known as the Data Security Standard (DSS), the standards put in place are commonly known as 'PCI Compliance'.
Being PCI-DSS compliant is mandatory for anyone processing card payments, no matter what volume you process or how you process those payments (whether its through a website or using a chip and pin machine).
If you operate an ecommerce website that handles card information, you'll therefore need to ensure that both your website and your processes are PCI compliant.
PCI Compliance is a complicated topic. You'll need to speak directly with your merchant account/payment gateway provider to find out from them exactly what they require you to do in order to prove to them that you are PCI compliant.
Unfortunately, members of our team are not qualified to offer you advice about PCI compliance.
The amount of work you need to put in to be PCI compliant depends on what payment gateway you choose.
Many payment gateways, like SagePay or WorldPay, offer integrations that take your customer from your website to their own website to enter their card information. This means that your customers are not entering card information onto your website and therefore your website is, in theory, excluded from the necessity to be PCI compliant.
For some payment gateways, like some WorldPay integration types or Realex, the customer stays on your website to enter their card information. This means that your own website will need to be PCI compliant.
If your website needs to be PCI compliant, your payment gateway will likely ask you to conduct a scan of your website (using a specialist company known as an Approved Scanning Vendor) to prove that it applies the PCI Data Security Standards (i.e. it is a secure website that isn't vulnerable to attacks to gain card information). Your payment gateway provider will, on request, be able to provide you with a list of Approved Scanning Vendors. You'll then need to choose one of these, purchase a 'scan' and send the results to your payment gateway.
Some payment gateways like PayPal Powered by Braintree or Stripe, remove the need for a website scan. Whilst the customer stays on your website to enter their card information, the integration of our platform with their systems is done in such a way so that your website never 'sees' the entered card information entered by your customer.
PCI self-assessment questionnaire
In most cases, you'll also need to complete a self-assessment questionnaire, issued by the PCI Security Standards Council, that asks a range of questions about how you handle your customer's card information and what steps you take to protect this data.
Even if you, or your website, never 'sees' card information you'll still need to complete the questionnaire.
Many payment gateways will assist you with the questionnaire and some of them, like Stripe, will provide you with an already completed questionnaire.
Our platform is built to ensure that all websites hosted on it are automatically PCI compliant. This means that we ensure that any scan you conduct on the website by an Approved Scanning Vendor is guaranteed to pass. In the unlikely event the scan doesn't pass, then simply send the scan results to us and we'll take a look and fix any problems that it displays.
Unfortunately, aside from fixing any problems displayed by a scan, our support team are unable to help you with any other aspects of the PCI compliance process - you must contact your payment gateway/merchant account provider for support and assistance.