PCI-DSS Basics: What Every E-commerce Business Must Know

Why E-commerce Businesses Must Care About PCI-DSS

If your business accepts, processes, or stores credit card information, you must comply with the Payment Card Industry Data Security Standard (PCI-DSS). This isn't optional—it's a contractual requirement from credit card brands (Visa, Mastercard, American Express, Discover). Non-compliance can result in fines up to $100,000 per month, plus liability for fraud losses.

For e-commerce businesses, understanding PCI-DSS is critical. The good news is that modern payment platforms can handle much of the compliance burden, but you need to understand what's required and make informed choices about your payment infrastructure.

Understanding PCI-DSS

What is PCI-DSS?

The Payment Card Industry Data Security Standard is a set of security requirements designed to protect cardholder data. It was created by major credit card brands (Visa, Mastercard, American Express, Discover, JCB) and is managed by the PCI Security Standards Council.

Who Must Comply?

Merchants: Any business that accepts credit cards, regardless of size or transaction volume

Service Providers: Companies that process, store, or transmit cardholder data on behalf of merchants (payment gateways, hosting providers, payment processors)

Key Point: You must comply even if you never see card numbers (e.g., using a payment processor). Your compliance scope may be reduced, but requirements still apply.

What is Cardholder Data?

Primary Account Number (PAN): The credit card number (the main target of PCI-DSS)

Cardholder Name: As it appears on the card

Expiration Date: Card expiry date

Service Code: Three-digit code on magnetic stripe

Sensitive Authentication Data (SAD): Must NEVER be stored after authorization

• CVV/CVC (the 3-4 digit security code)
• Full magnetic stripe data
• PIN/PIN block

PCI-DSS Compliance Levels

Compliance requirements vary based on annual transaction volume:

Visa/Mastercard Levels

Level 1: 6+ million transactions annually

• Annual on-site security assessment by Qualified Security Assessor (QSA)
• Quarterly network scans by Approved Scanning Vendor (ASV)
• Attestation of Compliance (AOC)

Level 2: 1-6 million transactions annually

• Annual Self-Assessment Questionnaire (SAQ)
• Quarterly ASV scans
• Attestation of Compliance

Level 3: 20,000-1 million e-commerce transactions annually

• Annual SAQ
• Quarterly ASV scans
• Attestation of Compliance

Level 4: Fewer than 20,000 e-commerce transactions annually

• Annual SAQ (may be required by acquirer)
• Quarterly ASV scans (may be required by acquirer)
• Compliance validation requirements set by acquirer

Note: Most small e-commerce businesses are Level 3 or 4. Check with your payment processor for specific requirements.

The 12 PCI-DSS Requirements

PCI-DSS has 12 main requirements organized into 6 goals:

Goal 1: Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

• Deploy firewalls at network perimeters
• Restrict inbound and outbound traffic to necessary connections
• Prohibit direct public access to cardholder data

Requirement 2: Do not use vendor-supplied defaults for system passwords and security parameters

• Change all default passwords before deployment
• Remove unnecessary default accounts
• Disable unnecessary services and protocols

Goal 2: Protect Cardholder Data

Requirement 3: Protect stored cardholder data

• Minimize data retention (only store what's needed)
• Don't store sensitive authentication data after authorization (CVV, full track data, PIN)
• Render PAN unreadable (encryption, truncation, hashing, tokenization)

Requirement 4: Encrypt transmission of cardholder data across open, public networks

• Use strong encryption (TLS 1.2+) for cardholder data transmission
• Never send unencrypted PANs via email, messaging, or other insecure channels
• Encrypt data in transit over wireless networks

Goal 3: Maintain a Vulnerability Management Program

Requirement 5: Protect all systems against malware and regularly update anti-virus software

• Deploy anti-malware on all systems commonly affected by malware
• Keep anti-malware current and running
• Generate and review logs

Requirement 6: Develop and maintain secure systems and applications

• Apply security patches within one month of release
• Develop applications based on secure coding guidelines
• Review custom code for vulnerabilities
• Separate development, test, and production environments

Goal 4: Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know

• Limit access to the minimum necessary
• Implement role-based access control (RBAC)
• Default deny all unless specifically allowed

Requirement 8: Identify and authenticate access to system components

• Assign unique ID to each person with computer access
• Implement multi-factor authentication for all access to cardholder data environment
• Use strong passwords (minimum length, complexity, history)

Requirement 9: Restrict physical access to cardholder data

• Use facility entry controls (badges, locks)
• Distinguish between visitors and employees
• Secure all physical media
• Destroy media when no longer needed

Goal 5: Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data

• Log all access to cardholder data
• Log administrative actions
• Review logs daily
• Retain logs for at least one year

Requirement 11: Regularly test security systems and processes

• Conduct quarterly internal and external vulnerability scans
• Perform penetration testing at least annually
• Deploy file-integrity monitoring on critical systems
• Test wireless access points quarterly

Goal 6: Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security for all personnel

• Establish and publish security policies
• Conduct annual risk assessments
• Implement security awareness training
• Define incident response procedures
• Manage service providers that handle cardholder data

Reducing PCI-DSS Scope: The Smart Approach

The best compliance strategy is to minimize or eliminate your handling of cardholder data.

Payment Integration Methods (From Most Scope to Least)

1. Storing Card Data (Avoid This)

• Maximum PCI scope
• You handle and store credit card information
• Requires full PCI-DSS compliance across your entire infrastructure
• Extremely expensive and complex for small businesses

2. Passing Through Your Systems

• Medium PCI scope
• Cards processed through your server before reaching payment processor
• Your server and network must be PCI compliant
• Requires SAQ and possibly assessment

3. Hosted Payment Page (Redirect)

• Minimal PCI scope
• Customer redirected to payment processor's secure page
• You never touch card data
• Simplest compliance path (SAQ A)

4. Embedded Payment Form (iFrame/JavaScript)

• Very minimal PCI scope
• Payment form embedded on your site but hosted by payment processor
• Card data goes directly to processor, never touching your server
• SAQ A-EP (slightly more requirements than SAQ A)

5. Point-to-Point Encryption (P2PE)

• Minimal scope
• Card data encrypted at point of capture, decrypted only by payment processor
• You never have access to unencrypted card data
• SAQ P2PE-HW

Recommendation: For small e-commerce businesses, use options 3 or 4 to minimize compliance burden.

Self-Assessment Questionnaires (SAQ)

SAQs are compliance validation tools for merchants who don't require full assessments.

Common SAQ Types for E-commerce

SAQ A (Simplest)

• Who: E-commerce merchants who fully outsource payment processing
• Requirements: Customer redirects to third-party payment page
• Validation: Only 22 requirements to meet
• Best For: Smallest compliance burden

SAQ A-EP

• Who: E-commerce with partially outsourced payment processing
• Requirements: Embedded payment form (iFrame/JavaScript) on your site
• Validation: 163 requirements
• Best For: Better user experience than redirect while minimizing scope

SAQ D (Most Complex)

• Who: All other merchants and service providers
• Requirements: All 12 PCI-DSS requirements apply
• Validation: Full assessment of all requirements
• Best For: When you must handle card data directly (try to avoid)

Completing Your SAQ

1. Determine correct SAQ type based on your payment integration
2. Download SAQ from PCI SSC website or your payment processor
3. Answer all questions honestly about your security practices
4. Implement necessary controls for any "No" answers
5. Submit SAQ and AOC to your payment processor/acquirer
6. Schedule quarterly ASV scans (if required)

Quarterly Vulnerability Scans

Most merchants must conduct quarterly vulnerability scans by an Approved Scanning Vendor (ASV).

What ASV Scans Do

• Scan your internet-facing systems for known vulnerabilities
• Test for PCI-DSS compliance issues
• Identify misconfigurations and weaknesses
• Provide remediation guidance

Common Scan Failures

• Outdated software with known vulnerabilities
• Weak SSL/TLS configurations
• Unnecessary open ports
• Missing security headers
• Default configurations

ASV Scan Process

1. Select an ASV (many payment processors offer this service)
2. Schedule quarterly scans (every 90 days)
3. Remediate failures (fix identified vulnerabilities)
4. Rescan until passing (must achieve passing scan)
5. Submit results to payment processor/acquirer

PCI-DSS Compliance Implementation

For E-commerce Using Hosted Payment Pages (SAQ A)

Step 1: Choose Compliant Payment Processor

• Stripe, PayPal, Square, Authorize.net, etc.
• Verify they provide hosted payment pages
• Confirm they're PCI-DSS Level 1 certified

Step 2: Implement Redirect to Payment Page

• Customer redirects to processor for payment
• No card data touches your website or servers
• Processor handles all PCI compliance

Step 3: Secure Your Website

• Use HTTPS (TLS 1.2+) for entire site
• Keep CMS/e-commerce platform updated
• Use strong passwords and MFA
• Regular backups

Step 4: Complete SAQ A

• Answer 22 questions about your practices
• Sign Attestation of Compliance
• Submit to payment processor

Step 5: Annual Revalidation

• Complete SAQ A annually
• Submit updated AOC
• Maintain security practices

For E-commerce Using Embedded Forms (SAQ A-EP)

All SAQ A steps, plus:

Additional Security Requirements:

• Isolate payment page on separate server/subdomain
• Implement web application firewall (WAF)
• Regular vulnerability scans
• Secure coding practices
• Change control procedures

Additional Validation:

• Complete longer SAQ A-EP questionnaire
• Quarterly ASV scans
• Document security controls

Common PCI-DSS Mistakes

Mistake 1: Storing CVV/CVC Codes

Problem: PCI-DSS absolutely prohibits storing CVV/CVC after transaction authorization

Consequence: Automatic non-compliance, potential fines, increased fraud liability

Solution: Never store CVV; configure systems to discard after authorization

Mistake 2: Sending Card Data via Email

Problem: Email is not secure for transmitting credit card information

Consequence: PCI violation, data breach risk

Solution: Use secure payment forms, customer portals, or encrypted systems

Mistake 3: Storing Unnecessary Card Data

Problem: Retaining full card numbers when not needed

Consequence: Increased compliance scope and breach risk

Solution: Use tokenization; store only last 4 digits for reference

Mistake 4: Ignoring Third-Party Compliance

Problem: Assuming your payment processor's compliance covers you

Consequence: You're still responsible for your portion of the environment

Solution: Complete your SAQ even when using third-party processors

Mistake 5: Outdated Software

Problem: Running e-commerce platform, plugins, or server software with known vulnerabilities

Consequence: ASV scan failures, potential breach

Solution: Implement patch management; update within 30 days of security releases

Mistake 6: Weak Passwords and No MFA

Problem: Admin accounts protected only by passwords

Consequence: Unauthorized access to cardholder data environment

Solution: Implement MFA for all administrative access

Mistake 7: Missing or Incomplete SAQ

Problem: Not completing SAQ or answering dishonestly

Consequence: Non-compliance, potential fines if breach occurs

Solution: Complete SAQ accurately; implement controls for any gaps

PCI-DSS and Data Breaches

If You Experience a Breach

Immediate Actions:

1. Contain the breach
2. Notify your payment processor/acquirer immediately
3. Engage forensic investigator (PFI - PCI Forensic Investigator)
4. Preserve evidence
5. Notify affected customers and authorities as required by law

Financial Consequences:

• Forensic investigation costs ($20,000-100,000+)
• Card reissuance fees ($5-10 per card)
• Fraud losses
• PCI fines ($5,000-100,000+ per month)
• Legal costs
• Reputation damage

Compliance Consequences:

• Elevated to higher validation level
• Monthly external vulnerability scans
• More frequent assessments
• Potential loss of ability to accept credit cards

Breach Prevention

• Minimize cardholder data storage
• Use tokenization
• Encrypt all cardholder data
• Implement strong access controls
• Monitor and log all access
• Conduct regular vulnerability assessments
• Maintain incident response plan

Payment Processor Selection

Evaluation Criteria

PCI Compliance:

• Level 1 PCI-DSS certified
• Will they sign responsibility agreements?
• What SAQ will you need to complete?

Security Features:

• Tokenization included?
• Fraud detection tools
• 3D Secure support
• PCI compliance tools provided

Integration Options:

• Hosted payment pages
• Embedded forms
• API capabilities
• Platform integrations (Shopify, WooCommerce, etc.)

Support:

• PCI compliance guidance
• Technical support quality
• Documentation and resources

Cost:

• Transaction fees
• Monthly fees
• Setup costs
• Compliance tool costs

Recommended Processors for Small E-commerce

Stripe

• Excellent developer experience
• Strong security and compliance tools
• Transparent pricing
• Hosted checkout and embedded options

Square

• Simple setup
• Unified online and in-person payments
• No monthly fees
• Good for small businesses

PayPal

• Widely recognized and trusted
• Simple integration
• Fraud protection included

Authorize.net

• Established provider
• Comprehensive features
• Good support

The Bottom Line

PCI-DSS compliance is non-negotiable for e-commerce businesses, but it doesn't have to be overwhelming. The key is choosing payment integration methods that minimize your compliance scope.

For most small e-commerce businesses, using hosted payment pages (SAQ A) or embedded payment forms (SAQ A-EP) provides the best balance of user experience and compliance simplicity. These approaches reduce your compliance burden to manageable levels while still protecting your customers and your business.

Invest in choosing the right payment processor and integration method from the start. The cost and complexity of achieving full PCI-DSS compliance if you handle card data directly far exceeds the transaction fees you'll pay to a compliant payment processor.

Most importantly, treat PCI-DSS not just as a compliance checkbox but as a framework for protecting your customers' payment information—and your business's reputation.

---

Need help achieving PCI-DSS compliance for your e-commerce business? Contact SimplCyber for guidance on payment integration and compliance validation.