Back to blog home

What You Need to Know about PCI

This blog post was originally posted by Chargify in 2011. We have updated it to include PCI changes in 2015.

—- Who and What is PCI?—-

PCI” is a term that’s coming up more and more as banks and credit card processors get more serious about credit card data security.

We completed our first PCI Level 1 audit in 2011. Here are some things we learned that may help you achieve compliance for your business.

Sorry this post got so long, but it’s worth reading and it’s a lot shorter than trying to figure all of this out from scratch!

The acronym “PCI” stands for “Payment Card Industry.” The full name of the organization is “The PCI Security Standards Council,” which is an organization founded by American Express, Discover, JCB International, MasterCard, and Visa. Their website is here.

For the sake of brevity, I’ll refer to the organization and their various standards simply as “PCI” in this post.

—- Do You Need to Comply with PCI Standards?—-

Everyone who accepts credit cards must be compliant with PCI data security standards. But the process of validating your company’s compliance varies widely, from easy to hard, depending on your type & size of business.

—- The PCI-DSS Standard—-

PCI defined a number of security standards, but the one that’s relevant for Chargify and our merchants is called “PCI-DSS,” which stands for “PCI Data Security Standard.”

PCI-DSS covers various things about your business, like:

  • Handling of data by your computer systems.
  • Separation of program execution and data storage.
  • Guarding against employee theft of data.
  • Guarding against internet-based intrusions.
  • Proper disposal of hard drives.
  • Tracking of human access to hardware.
  • Ensuring that software developers cannot directly change production systems without management oversight.
  • And much more.

If you’d like to read the actual PCI-DSS specifications, they are available here (you’ll see a list of documents… click on the newest one that’s named “PCI DSS”… for instance, as of May, 2015, the newest one is called “PCI DSS v3.1″… unlike in years past, you now must do a click-through agreement before you can get the actual document… otherwise, we would have just linked to it directly).

If you’re a small or medium-sized business that uses something like Chargify for all functions where credit card data is involved, then you won’t need to read the actual PCI-DSS specification. You’ll just need to do a self-assessment. Read on…

—- PCI Levels—-

PCI divides merchants into 4 Levels.

Level 1

  • Chargify is this level.Chargify-2015-PCI-Certificate
  • More than 6,000,000 Visa or MasterCard transactions per year.
  • More than 2,500,000 American Express transactions per year.
  • Any merchant that Visa or MasterCard determines should meet the Level 1 merchant requirements to minimize risk to the system.
  • Any MasterCard merchant who had account data compromised in the previous year.
  • Any entity that handles credit card data and/or provides card processing services on behalf of other merchants. This is the part that required Chargify to go straight to Level 1 even in our very early years.

Level 2

  • 1,000,000 to 6,000,000 Visa or MasterCard transactions per year.
  • 50,000 and 2,500,000 American Express transactions per year.

Level 3

  • 20,000 to 1,000,000 Visa or MasterCard transactions per year.
  • 50,000 American Express transactions per year.

Level 4

  • Fewer than 20,000 Visa or MasterCard transactions per year.
  • Note: American Express does not use level 4.

—- What Does My PCI Level Mean for Me?—-

Look at the requirements above and see which PCI Level is right for your business.

  • If you’re Level 1 or 2, then you need to hire an auditor to verify your compliance with the PCI-DSS Standard.
  • If you’re Level 3 or 4, then you can do your own Self-Assessment of compliance. No auditors. But as of 2015, there is a new wrinkle. Surmountable, but a wrinkle. Please see below.

If you fall into Level 1 or Level 2, you should expect a fair amount of work to pass your audit. The audits do get easier in subsequent years, simply because you’re more prepared. Back in 2011, it took Chargify and our parent company, Grasshopper, nine months to get through our first Level 1 full audit. Subsequent years have been much better, especially because we have a great ops team!

The PCI people are not trying to shut down small merchants, but they do want you to figure out if you meet the PCI-DSS security requirements, and they really don’t want card data in more hands than absolutely necessary.

If you’re a small/medium business and you rely on someone like Chargify for all of your credit card data-handling operations, then your life is a lot easier. You can self-assess.

—- Self-Assessment for Merchants in Levels 3 & 4—-

While Chargify does support some very large businesses today, most of our merchants are small in the eyes of PCI.

PCI has developed a set of Self-Assessment Questionnaires that can be used by Level 3 and Level 4 merchants. These questionnaires are referred to as “SAQs”. They help you figure out if you’re compliant with the PCI-DSS standards.

As of May, 2015, there are 5 different SAQ forms:

SAQ A

Applies if: All cardholder data functions are outsourced to someone like Chargify. You have no electronic storage, no processing, no transmission of cardholder data, no web pages hosted by you that even “kind of” touch credit card data (see below for what “kind of” means).

Comments:

  • This is the proper questionnaire for merchants who use Chargify-hosted pages for all collection and updating of consumer’ card data. You can use our consumer signup pages, card update pages, and consumer self-service Portal.
  • You will be asked to confirm that Chargify is PCI compliant, and you can do this by checking our Certificate of Compliance, located here.
  • This is not the proper questionnaire if you collect card data on your own SSL-secure web page and then transmit the data to Chargify via our API. In 2015, you want to avoid doing this unless you are okay with annual PCI audits.
  • This is not the proper questionnaire if you collect card data using a “transparent redirect” function such as Chargify Direct, or if you use a JavaScript “drop-in” library from some payment gateways, where you host your own forms but all credit card data passes directly from consumers to Chargify servers. These methods are what we call “kind of” touching credit card data. See SAQ A-EP, below.

SAQ A-EP

Applies if: You are a merchant that partially outsouces everything credit card -related to a company like Chargify. Regarding the meaning of “partially”, here’s a summary from the SAQ A-EP document itself, “This SAQ has been created to address requirements applicable to e-commerce merchants with a website(s) that does not itself receive cardholder data but which does affect the security of the payment transaction and/or the integrity of the page that accepts the consumer’s cardholder data.”

Comments:

  • This is the proper questionnaire for merchants who “kind of” touch credit card data with their own web pages… those who use a “transparent redirect” function such as Chargify Direct, or those who use a JavaScript “drop-in” library from some payment gateways, where you host your own consumer-facing forms but all credit card data passes directly from consumers to Chargify servers.
  • You will be asked to confirm that Chargify is PCI compliant, and you can do this by checking our Certificate of Compliance, located here.

SAQ B

Applies if: Merchant only uses physical card imprint machines or stand-alone dial-out terminals. No electronic cardholder data storage.

Comments:

  • No internet connection with regard to card data, which pretty much eliminates all Chargify merchants.

SAQ C

Applies if: Payment application connected to the Internet. No electronic cardholder data storage.

Comments:

  • This is the proper questionnaire if you collect card data on your own SSL-secure web page and then transmit the data to Chargify via our API.
  • This questionnaire is pretty hard to fulfill. It covers a lot of things that most of our merchants won’t have any control over, especially if they use cloud-based services for hosting and other functions.

Many companies are out of compliance here. They are doing what they think is okay (and was okay until 2010). They’re using an SSL-secure web page to collect and display credit card data, and they’re transmitting that data to their payment gateway or to Chargify via API calls. Unless you want to pay for an annual PCI audit, this path stopped being a reasonable path years ago.

SAQ D

Applies if: All other merchants not covered above, and service providers.

Comments:

  • This questionnaire applies to oddball merchants, and to companies like Chargify, that provide services to others.

—- Where Do You Get the SAQ Forms?—-

Download the SAQ forms directly from the PCI site.

—- Completing & Submitting Your SAQ Form—-

Here’s a quick rundown of the SAQ sections and some tips along the way:

  • Part 1a is your business info. Pretty easy.
  • Part 1b is your “assessor” info. This only applies if you need to hire an outside PCI company to asses your progress on fixing items of non-compliance. You should not need an assessor if you pass the first set of questions in Section 2b (basic eligibility questions).
  • If you get through Section 2b (basic eligibility) okay, then you’re “compliant” and you don’t need to fill out Section 4.
  • Of course, if you didn’t pass Section 2b, then you’ve got a bit more work ahead on Section 4.
  • Section 3 is easy stuff, like your signature.
  • Section 4 is your “Action Plan for Non-Compliant Status” and contains a lot of questions, plus other sections after it that you’ll have to fill out.

When you’re done, you’re supposed to submit your completed SAQ to your “acquirer”, which is the the bank where you have your credit card “merchant account”. This is not your regular checking account. It’s the special “merchant account” that you got so you can process credit cards. Sometimes it comes bundled with your credit card payment gateway.

If you don’t know where to send your completed SAQ form, try to contact whoever got you your payment gateway or merchant account, or a reseller who may have sold you both.

Sometimes, your merchant account provider will ask for your SAQ, so it will be clear who needs it.

—- More Info & Links—-

For details regarding the Visa PCI Level criteria & validation requirements, please look here.

For details regarding the MasterCard PCI Level criteria & validation requirements, please look here.

For details regarding the American Express PCI Level criteria & validation requirements, please look here.