PCI Compliance, Who’s Responsible?

What’s PCI DSS Compliance?

PCI DSS is an acronym for Payment Card Industry Data Security Standard. The security standards are made up of technical and operational requirements to help to protect cardholder data and reduce fraudulent transactions. These standards apply to all that store, process, or transmit cardholder data. The council that is responsible for these standards, is supported by the world-leading credit card companies.

Why it’s important you are compliant?

Compliance is not a legal requirement in the UK, it’s a security standard. However, credit/debit card details are also personal data that will fall under the Data Protection Act and/or GDPR.

If you are found to be a breach of PCI DSS, your business could be fined. These fines are issued by payment providers and are enforced through contracts between you the merchant, banks, and the payment brands. These fines can range from $5,000 to $100,000 per month for the months of non-compliance.

In addition to this, if there was a card data breach the ICO (Information Commissioner’s office) would view whether the merchant was PCI compliant, and this will have an impact on the potential penalties. The fines issued can be huge depending on the scale of the breach and work on two ties.

Standard – up to 2% of the total global turnover or €10,000,000 whichever is higher.

Higher – up to 4% of the total global turnover or €20,000,000 whichever is higher.

Levels of compliance

There are different levels of compliance, it’s not a one size fits all approach.

  • Level 1 — this applies to businesses that process more than six million card transactions a year
  • Level 2 — this applies to businesses that process more than one million but less than six million transactions a year
  • Level 3 — this applies to businesses that process more than 20,000 but less than one million transactions a year
  • Level 4 — this applies to businesses that process less than 20,000 transactions a year

Level 1 is the most strict in regards to the requirements, level 4 is the least strict.

For levels 2-4 the merchants can submit a self assessment questions whilst level 1 would need to go through an assessment by a Qualified Security Assessor.

How does Magento help to obtain compliance?

Magento Commerce Cloud is PCI Certified as a Level 1 Solution Provider, all merchants using Commerce Cloud can use Magento’s PCI Attestation to help them through their own PCI certification process.

By using integrated payment gateways that either use a direct post or hosted payment forms that are integrated into the checkout helps to reduce your requirements. Keeping all card details outside of the Magento Platform. This means that most merchants can validate their compliance by completing a self-assessment at an SAQ A or SAQ A-EP level rather than the more complex SAQ D.

As part of the Commerce Cloud product Magento provides a WAF powered by Fastly. The WAF ensures that all storefronts in production environments meet PCI DSS 6.6 security requirements.

Interested in other security features implemented by Magento? take a read over magento.com/trust/security

Will my agency sort this out?

Ultimately not, this will fall on you as the merchant from a legal perspective. Naturally, during a working relationship, it’s not uncommon for the conversation around PCI compliance to come up. In fact, if it didn’t get risen by our client we would raise it. We take an advisory approach to best practices but always advise that you also speak to your bank and/or merchant account provider to ensure compliance.

How to avoid fines and penalties?

The best way to avoid fines is to make sure you are compliant. This means following every item on the PCI DSS Checklist.