PCI Compliance: Website Essentials for Processing Credit Cards
If you’re in the business—or want to be in the business—of selling video online, be prepared to review the requirements to process credit card payments from your site. Payment card industry (PCI) compliance is the set of security mandates that credit card companies require of merchant accounts. When you want to set up credit card payments on your site, the more your website infrastructure is part of the payment processing pipeline, the more stringent the security rules will be.
The PCI Security Standards Council was started in 2006 by five companies: American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. The PCI DSS, or Data Security Standard, has been evolving ever since. Updates to the standard are made annually, and companies that incorporate credit card payments into their websites have to comply to the new standards annually or risk losing their merchant accounts. To be clear, PCI is an industry regulation, not a federal government regulation. (PCI DSS documentation)
While it’s beyond the scope of this column to cover all the implications of PCI DSS, I’ll continue to provide an overview suitable for stakeholders in your organization. There are various levels of compliance as defined by Self-Assessment Questionnaires (SAQs). The least involved compliance is SAQ A, while the most complex compliance is SAQ D. (SAQ definitions)
Just as the term implies, a SAQ is typically performed by one or more employees of your company involved with the data exchange of credit card information; these include your web developers, database administrators, and IT network personnel. An authorized employee usually signs the SAQ and sends the document to the bank that holds your merchant account. Different SAQs require your company to have different degrees of documentation on hand in the event of a data breach and/or audit; PCI compliance is largely based on an honor system. Just because you’ve signed an SAQ and submitted it to your bank doesn’t mean you’re actually in compliance, just like submitting your taxes doesn’t guarantee you won’t get audited. And as requirements become stricter with each revision of the PCI DSS, more time and effort will be required to stay in compliance.
If you’re starting a new business that involves the monetization of video via credit card purchases online, your required PCI compliance more than likely will fall into one of these categories:
- Full redirect of payment information to an approved third party: Your website or payment portal goes directly to another website, such as PayPal or Amazon Payments, for the end user to login and submit payment. In this scenario, the third party provides your site’s service layer with an authorization token confirming that payment was made, and your site provides the product(s) to the end user. Your site and its services retain no credit card information related to the purchase. This category falls under SAQ A.
- Partial input of data or display of credit card information on your site: You don’t want the end user to leave your site entirely to fulfill payment for a purchase, and your site hosts the form for which the user inputs credit card information. This information is sent directly to a third-party processor gateway. Even though you’re not storing the critical cardholder data, your site and the payment form can still be vulnerable to hacking. This category falls under SAQ A-EP and requires, among other security mandates, that your web server hosting the form and any web service(s) responsible for token exchange(s) with the payment processor be fully locked down.
- Full input and storage of cardholder data on your site: You want to have the entire shopping and payment experience on your site. You’re still going to use a third party to process payments, but you’re storing credit card data in your own systems for recurring payments or for future transactions. This category will most likely fall under SAQ D, the most stringent of all the SAQs, and appropriate given the fact that you’re retaining all the data necessary for hackers to commit fraud. If you’re hoping to have a “tight team” or garage startup, the latest revisions to PCI DSS compliance include requirements such as having dedicated resources/personnel for pushing live updates to the your site who are not the software developer(s) who wrote the code.
For companies looking to minimize the cost and effort of PCI compliance, you’ll want to make sure your services fall into one of the first two categories. If you’re seeking to store credit card information from your end users, be prepared to spend much more time and effort to fulfill the requirements of SAQ D.
This article appears in the January/February 2016 issue of Streaming Media magazine as “PCI Compliance: A Consideration for Online Video.”
Related Articles
Ad tag waterfalling becomes much less complex in this version, and publishers gain more precise ad scheduling.
28 Aug 2014
Targeting instructional video producers and publishers, Youreeeka offers a low-cost approach to protecting and monetizing video content.
Thurs., June 11, by Troy Dreier
11 Jun 2009