The new PCI Data Security Standards became a requirement in April 2015. The standards, entitled PCI DSS 3.1, require site owners to ensure that any payments that they process are handled in a secure fashion. There was considerable confusion regarding the new rules when the standard was announced and even today, several months after the rules came into effect, there are some webmasters who are unsure as to whether they need to be ‘PCI compliant’ and whether they are meeting the rules with their current set-up.
Who Needs to be PCI Compliant?
If you take payments via your website, then you will need to be PCI compliant. However, there are different tiers of compliance depending on whether you are accepting the payments yourself, or using a third party payment processor. This is where much of the confusion arises. If you are handling the payments yourself from end-to-end, then you will need to use the SAQ D rules, which are exhaustive and complex. Most SME’s will, however, fall under SAQ A or SAQ EP, because they use a third party payment processor.
Which of these standards applies to you will depend upon how you have integrated the third party’s payment processing technology with your website. You may need to make some small changes to your site in order to ensure full compliance. The good news is that Stripe and other popular payment processors have published guidance that will help you to bring your site in line with the rules.
SAQ A vs SAQ A-EP
The SAQ A questionnaire is aimed at anyone using SaaS ecommerce platforms such as BigCommerce and Shopify, who redirect their customers to payment pages that are hosted by the processing company, or who use an iFrame that is hosted by the payment processor. The SAQ A requires only a handful of simple security measures. If this sounds like your website, there is a good chance that you are already compliant. If you use Stripe’s Checkout system, then SAQ A applies to you.
SAQ EP is aimed at businesses which host their own payment forms and pass the details on to their payment processor, without the data ever passing through their own servers. If you use technology such as Stripe.js, then this probably applies to you and you will need to fill out SAQ EP. You may also need to make a couple of small updates to your site. Stripe offers guidance on the new directives for Stripe.JS. The change is as simple as updating your CSP, and shouldn’t be too challenging for an experienced web developer.
For more assistance on your PCI compliance requirements and to ensure you’re covered – Get in touch and request a free audit.