PCI Compliance For E-Commerce Platforms: Everything you need to know

Payment fraud is one of the most prevalent challenges facing today’s e-commerce industry. In 2022, e-commerce payment fraud led to roughly $41 billion in losses globally — and by the end of 2023, these losses are projected to reach $48 billion. 

To protect against losses from credit card fraud — one of the leading forms of payment fraud — following PCI compliance standards is a must for e-commerce sites, platforms, and merchants. 

Today, we explore PCI compliance for e-commerce to help your business build a better strategy that safeguards not only your customers but your business reputation and revenue as well. 

PCI Compliance in E-Commerce comes from the Payment Card Industry Data Security Standard (PCI DSS), which is a security standard created by the Payment Card Industry Security Standards Council. This standard was formed to improve processes and controls in place to protect cardholder data. The main goal of the PCI DSS is to reduce debit and credit card data loss.

What Is PCI Compliance?

The Payment Card Industry Data Security Standard (or PCI DSS for short) is a global framework for protecting cardholder data. Spearheaded by the PCI Security Standards Council (SSC), the PCI DSS aims to adapt the payments industry alongside evolving payment technologies. 

Any business that handles, stores, or transmits personal and payment information from a debit or credit card is subject to PCI compliance standards. 

In the e-commerce sector, the PCI DSS regulatory guidelines massively impact how e-commerce merchants can accept and process payments. The inherently digital nature of e-commerce makes the industry a focal point of the PCI DSS compliance requirements, which can complicate business operations for merchants without a strong compliance strategy.

PCI DSS applies to all businesses that handle, store, or transmit any personal or payment information from a credit or debit card. All merchants that accept credit cards as payment on their site are obligated to assess their compliance on an annual basis. The amount of assessment required varies, and is dependent on a given platform's transaction volume. For example, smaller merchants with less transactions may be able to review their compliance internally. Larger merchants, or those that process more than six million transactions per year, will likely require the assistance of a Qualified Security Assessor (QSA).

Why Does PCI Compliance Matter?

PCI compliance is a difficult subject to grasp for some. However, the PCI Security Standards Council's guidelines, called the Payment Card Industry Data Security Standard (PCI DSS), set forth the overall aims in simple terms. Meeting the 12 fundamental criteria that back them makes it more difficult for bad actors to acquire critical payment data and therefore are an effective measure against fraud and misuse.

How Is PCI Compliance Enforced?

The PCI DSS is a security standard, not a statute in law. As such, while the PCI SSC may set these compliance standards, the council does not oversee their enforcement. 

Yet, this does not mean PCI compliance goes unenforced — instead, this authority falls into the hands of acquiring banks, card brands, and payment processors. PCI compliance is generally a vital element of any credit card company’s security policy, as well as portions of credit card network terms.

Many big-name card brands are not just members but also founders the PCI SSC in 2006 to manage the ongoing evolution of the Payment Card Industry Data Security Standard, including Visa, MasterCard, American Express, and Discover. These brands and the relevant financial service providers often oversee PCI compliance within their specific card networks and payment flows, ensuring that any transactions occurring via their network align with current PCI standards.

Why Does PCI Compliance Matter for E-Commerce Sites & Merchants?

PCI compliance can be challenging to grasp — after all, the security standard comprises 12 key criteria, each with its unique list of requirements. For e-commerce sites and platforms, however, maintaining PCI compliance either through an in-house strategy or outsourced solution is crucial for several reasons:

• Business Reputation: E-commerce merchants, sites, and platforms have an important business reputation to uphold. Without a strong and trusted reputation, e-commerce businesses may find themselves lacking reliable industry partners or returning customers. For e-commerce platforms specifically, not offering a PCI-compliant platform can be a major turn-off for merchants, causing them to take their business to a different platform altogether. 
• Data Security: E-commerce sites handle sensitive payment card data, including credit card numbers, which are attractive targets for cybercriminals and fraudsters. PCI compliance helps ensure the security of this data by establishing stringent security measures and best practices within an e-commerce business’s IT infrastructure.
• Payment Flexibility: Card payments are one of the most popular payment methods around the globe, making it a necessity for e-commerce sites and merchants to offer card payments as an option at checkout. An e-commerce business failing to adhere to PCI compliance requirements can lead to a fallout between the business and its card network or financial service providers. In turn, failing to follow PCI compliance can greatly inhibit the ability to accept customer payments. 

Revenue: Non-compliance with PCI standards can result in massive fines and fees from an e-commerce site’s card network and financial institution. These fines are often charged monthly and can begin at $10,000 for non-compliance. If left unaddressed, non-compliance costs can skyrocket to $100,000 per month. When you pair this with the potential lost revenue from the lack of payment flexibility discussed above, non-compliance can tremendously harm an e-commerce site’s or merchant’s revenue.

PCI Compliance Criteria For E-Commerce Platforms

In general, the compliance criteria imposed by the PCI DSS are the same for all businesses. 

The most significant difference between the compliance criteria for various e-commerce businesses is which merchant category they fall under. PCI compliance features four merchant levels:

• Level 1: Merchants with over 6 million transactions per year across all channels — Level 1 is the highest and strictest merchant level within the scope of the PCI DSS
• Level 2: Merchants with between 1 million to 6 million transactions per year across all channels
• Level 3: Merchants with between 20,000 and 1 million e-commerce transactions per year
• Level 4: Merchants with fewer than 20,000 e-commerce transactions per year

Any business dealing with card payments and cardholder data must follow the 12 key PCI compliance criteria and the relevant requirements. The following are the 12 compliance criteria, but you can also read a more in-depth breakdown in Spreedly’s comprehensive PCI Compliance Checklist.

1. Set up and maintain a firewall

A firewall is a piece of hardware or software that separates your internal network from the Internet. It helps protect your systems from unauthorized access and theft of data. Your systems must have a properly configured firewall to be PCI compliant.

2. Employ strong password practices

Passwords are the first line of defense against unauthorized access to your systems. They should be strong, unique, and changed regularly.

3. Secure stored cardholder data

Stored cardholder data is any data that is not actively being processed. It must be protected from unauthorized access, use, or alteration.

4. Encrypt the transmission of cardholder data

Transmission of cardholder data should be encrypted using strong cryptography. This helps protect the data from being intercepted by unauthorized individuals.

5. Use quality antivirus software

Antivirus software helps protect your systems from malicious software (malware) that can steal information or damage your systems. You must use up-to-date antivirus software to be PCI compliant.

6. Build and maintain secure systems and applications

Secure systems and applications should protect your systems from unauthorized access to cardholder data. They should also use strong cryptography and be tested regularly.

7. Give access to data only when truly necessary

Access to cardholder data should be restricted to authorized individuals only. These individuals should have a need to know the information in order to do their jobs.

8. Assign a distinct ID to each person who has access to cardholder information

Each individual who has access to cardholder data should be assigned a unique identification number. This helps ensure that only authorized individuals have access to the data and that interactions with it are trackable.

9. Physical access to cardholder data should be limited

Physical access to cardholder data should be restricted to authorized individuals only. This helps protect the data from being stolen or compromised.

10. Keep track of all access to network resources and cardholder data

You should track and monitor all access to your network resources and cardholder data. This will allow you to detect any possible compromise of your data.

11. Test security systems and procedures on a regular basis

You should regularly test your security systems and processes to ensure that they are effective. This helps protect systems from being at risk or ultimately compromised.

12. Maintain a policy that details the security measures for staff and contractors

All employees and contractors should be made aware of the importance of information security. A written policy will help them understand their role in protecting cardholder data.

The above concepts are what comprise the current guidelines of PCI DSS. However, this is not all there is to compliance.

If you are looking to become PCI compliant, it is important to understand that meeting the requirements is not a one-time event. The PCI DSS is a living standard, and you must continually work to maintain compliance. This includes regularly testing your security systems and processes to ensure that they are effective. The PCI Security Standards Council also provides guidance on how to implement these concepts into your business.

PCI Merchant Levels

If your organization can meet the 12 requirements, you should be on the right track towards becoming PCI compliant. However, it is important to note that each merchant has its own unique needs. This means that there may be additional steps you must take based on your specific situation.

In this context, the technical definition of a merchant is 'any entity that accepts payment cards with the logos of any of the five members of the Payment Card Industry Security Standards Council (PCI SSC) in return for goods or services. Every merchant who processes payments must adhere to the guidelines, however the level they are categorized within defines the exact parameters.

There are multiple PCI DSS Merchant Levels and various PCI DSS compliance criteria within each that merchants must be aware of. For example, if you are a large ecommerce merchant that processes more than six million Visa transactions per year, you must complete an Attestation of Compliance (AoC).

The Next Version of PCI DSS is Here

The fourth version, PCI DSS version 4.0, was released in March of 2023. According to current timelines set forth by the PCI SSC, PCI DSS v3.2.1 will be officially retired as of March 31, 2024, after which all entities required to comply with PCI DSS will need to be compliant with and assessed under PCI DSS v4.0.

Spreedly Helps You Maintain PCI Compliance

For e-commerce businesses to achieve cost-effective PCI compliance, finding the right solution for simplifying compliance requirements is essential. 

At Spreedly, our payment orchestration solution provides Level 1 PCI compliance — the highest level possible for e-commerce businesses, platforms, and merchants. Spreedly works with the PCI SSC alongside other participating organizations to maintain a secure global payments environment. 

Additionally, as many global e-commerce professionals know, other vital payment regulations (such as PSD2 in the EU) exist around the world. Adhering to these regulatory standards is a necessity for any merchant or e-commerce site hoping to take their business across borders and into new regions.

Spreedly helps simplify compliance with PSD2 by offering 3D Secure solutions that are compatible with many of the top payment gateways and payment service providers. 

Chat with the Spreedly team today to find out why we are a trusted partner for your compliance needs.

Download the PCI Compliance eBook Below