"PCI Compliance and Certification.
The Best Way to make Your Merchant Bank
and the Credit Card Companies Happy!"

Statistically there's a huge chance (over 73%) your site is currently vulnerable to Worms, Trojans and Hackers! That's why merchant banks and credit card companies are pushing so hard for PCI compliance. A PCI Compliance scan and Certification will make "them" happy, but what’s more important is it could save you from losing your business, and ten's of thousands of dollars in fines and penalties. For your own peace of mind and security, have Trust Guard scan your website everyday! Once your website is safe, we will let your visitors know it with one of our Security Scanned Seals. These seals instantly build visitor Trust and Confidence, and Increase Sales!             We scan for over 30,000 vulnerabilities! Get started today!

For most people, the world of PCI (Payment Card Industry) is very complicated, frustrating, and extremely boring.  So, in an effort to help you keep your sanity, I've put together the following information for every online business owner that's been told that they need PCI Scanning or PCI Compliance for their website, but don't ever get a straight answer as to what it is, why they need it, what to do about it, or how to get it.  My goal here is to simplify PCI for you so that you can make a clear, educated decision and weigh your options on your terms.  You won't find any other resource like this online, so be sure to bookmark it or print it out so you can easily access it again.

 

I should also mention that while we go to great lengths to provide you with as accurate information as possible, we don't make the rules, laws and/or regulations that govern PCI, and the information below may change at any time. So, if your bank or acquirer (that's one of those ambiguous words I'll define for you below) tell you something different than what is stated below, we recommend you follow their instructions.  This document is for information purposes only.  For the official 'migraine-inducing' documentation, go to www.pcisecuritystandards.org.

 

Okay, here we go...  First the basics...

 

What are PCI, PCI DSS and PA DSS and how do they apply to me?

 

PCI stands for Payment Card Industry.  The official name is the PCI Security Standards Council (or PCI SSC but most people just usually just say PCI or PCI Council).  It is an organization that was founded by the five major credit card companies, (American Express, Discover, JCB, MasterCard, and Visa) in order to create a uniform set of security standards for companies to follow when processing credit card transactions.  Until the PCI Council was organized, each of these companies had their own standards that were similar to each other but not uniform, which created a lot of problems.

 

PCI DSS stands for Payment Card Industry Data Security Standards which are the official security standards created by the Council to reduce payment card fraud. These standards are part of your merchant agreement that you sign when you decide to accept payment cards (credit, debit, etc.) and whether you're aware of it or not, you are ultimately financially responsible if someone steals your customer's credit cards and you're found not in compliance.  Unfortunately, all of the other parties that are involved in the process of helping you process credit cards have the ability to kindly pass the painful, exorbitant non-compliance fines and penalties on to you, the merchant. (Isn't that nice of them?)

 

In a nutshell, the purpose of PCI DSS is to create as secure of an environment as possible for you to process credit cards, so the doomsday scenario above doesn't happen.  The PCI council actually has 12 main security requirements that all merchants are supposed to strive for in order to be truly PCI DSS Compliant.  However, the extent to which the 12 requirements need to be met depend on the number of transactions that a company processes in a year, which are separated into 4 levels.  I break down the levels and PCI DSS Compliance requirements for each level below, but if you want to risk your brain exploding, you can find the full PCI DSS documentation here.

  

PA DSS stands for Payment Application Data Security Standards, (which is a completely separate but related set of standards from PCI DSS above) which apply specifically to companies that develop or operate Payment Applications that online merchants (like yourself) use to process transactions, such as shopping carts.  The PA DSS are in place so that your shopping cart's payment application software processes your client's credit cards using the proper security specifications, to protect against vulnerabilities.

 

 

 

As I mentioned above, the requirements for PCI DSS Compliance depend on which merchant level you fit into based on the number of transactions you process in a year.  Basically, all merchants are required to do two things; quarterly PCI Scanning on all external-facing IP addresses, and a yearly Report On Compliance.

 

PCI Scanning (also known as PCI Security Scanning or Vulnerability Scanning) involves having a PCI ASV (Approved Scanning Vendor) scan any and all IP addresses that the public has access to that have to do with your website or the transaction process.  This typically includes your websites IP address, however, if you transfer your customers to a third-party shopping cart hosted by your shopping cart provider during the checkout process, then you should include their IP address to be scanned as well.

 

Report On Compliance is basically a report that you submit to your acquirer (an acquirer is typically the company whom you initially signed up with so that you could process credit cards - this could be a third-party service provider, or your actual bank, it just depends who you signed on with) to show them that you are compliant.  The type of report varies depending on the merchant level you fall into.

 

 

Level 1 is any merchant that does over 6,000,000 transactions a year.  Basically you need to bring an assessor on-site called a QSA to evaluate your security and create an in-depth Report On Compliance for you.  Quarterly PCI Scans are also required.

 

Level 2 is any merchant that does between 1,000,000 and 6,000,000 transactions a year.  In lieu of a full Report On Compliance, the PCI Council allows Level 2 merchants to complete a Self-Assessment Questionnaire (SAQ) instead.  Quarterly PCI Scans are also required.  Level 2 merchants also have an extra one-page form that takes about 5 minutes to fill out that basically states that they don't keep certain types of credit card information on file.

 

Level 3 is any merchant that does between 20,000 and 1,000,000 transactions a year.  In lieu of a full Report On Compliance, the PCI Council allows Level 3 merchants to complete a Self-Assessment Questionnaire (SAQ) instead.  Quarterly PCI Scans are also required.

 

Level 4 is any merchant that does between 1 and 20,000 transactions a year.  In lieu of a full Report On Compliance, the PCI Council allows Level 4 merchants to complete a Self-Assessment Questionnaire (SAQ) instead.  Quarterly PCI Scans are also required.

 

As you can see, the requirements for Levels 2-4 are all basically the same (except the extra form for Level 2).  For all three levels, you essentially need to get quarterly PCI Scans performed by an Approved Scanning Vendor (ASV) and you also need to complete an annual Self-Assessment Questionnaire (SAQ).  I should also mention that your life will be much more simple and stress free if you don't store any credit cards on your server.  If you store your credit cards with your Payment Gateway Provider like Authorize.net, LinkPoint, Paypal, etc., the SAQ is a breeze.  If you store credit cards on your own server, then the SAQ gets much more complicated.

 

Once you've completed your PCI Scan and SAQ then you submit these documents to your acquirer.   If you're a Level 4 merchant, depending on your acquirer and when you signed up, you may be able to have the quarterly scan requirement waived (due to certain PCI grandfather clauses), although with the new PCI 1.2 standards implemented on October 1st, 2008 for all new merchants, more and more acquirers are requiring quarterly scans.
 

 

According to the new standards, if you are a level 4 merchant that processes less than 20,000 transactions and you don't store payment card information on your server, and your shopping cart provider is PA DSS validated, then you don't necessarily need to do quarterly scans, but you will still need to fill out the annual SAQ.  However, if your shopping cart provider is not PA DSS validated, then you will need to be PCI DSS Compliant and provide an annual SAQ and quarterly scans of your IP, and possibly scan your shopping cart providers IP if the shopping cart is hosted on their server and not directly on yours.

For example, here's what Bank of America states on their website...  Effective October 1, 2008: PCI Level 4 merchants using third-party software are required to either use PA-DSS-validated payment applications or be PCI-DSS compliant in order to board as a new merchant with Bank of America.

What it really boils down to is your acquirer's (your merchant bank's) specific requirements, as each acquirers requirements are different.  Your acquirer has a lot of influence on what you need to provide as far as PCI DSS compliance.  If you are concerned about your liability or your responsibility as a merchant, contact your acquirer and ask them what they require from you in order for you to be PCI DSS Compliant.  Although, it's important to keep in mind that no matter what your acquirer does or does not recommend that you do in order to be PCI DSS compliant, you could still be financially responsible if something happened. 


Is it difficult to set up PCI Scanning and complete the SAQ?

It all depends on which company you use.  You can usually tell if you're going to have a problem if the company is very technical in their sales and marketing approach.  In other words, if you can't understand what they're saying before you sign up, chances are it's not going to get any easier after.  At Trust Guard we do everything we can to try and simplify and streamline the process by providing easy setup options and helpful guidelines to assist you throughout the process.  We even have dedicated PCI support staff available in case you have any problems or need guidance in fixing a vulnerability on your server.


What is the difference between Quarterly Scanning and Daily Scanning?

Other than frequency, they're the exact same service.  Quarterly scanning is just the minimum number of scans required for PCI DSS Compliance for all merchants.  There are however, two very good reasons to do daily scanning.  The first reason is to make sure that your server is continually checked and protected against any new vulnerabilities that come up - I like to think of it as anti-virus software for your server.  The second reason is to make your customers feel more comfortable.  Think of it this way...  Would you rather buy something from a website that is scanned for vulnerabilities once every three months or scanned every single day?  Same with your customer.  Obviously daily scanning is more expensive, but the price per scan is much lower, making it more affordable.


What do you recommend?

Here's where PCI DSS gets very interesting in my opinion, because here at Trust Guard we view PCI completely different than any other company that offers PCI Scanning.  While it is very important to have security measures in place to protect your customers, in our opinion, the true, long-term value of PCI DSS Compliance is MORE TRUST.  Our motto here at Trust Guard is that Trust = Conversion, and we know, from seeing thousands of test results, that the more your customers trust you, the more likely they are to buy from you.  If you consider the odds that a hacker is actually going to hack into your server or your shopping cart providers server and steal your customers credit cards, it's very unlikely, but that's not the point.  The point is that by implementing PCI DSS, you've lowered the odds even more, and by your actions you have shown your customer that you truly care about their security, and that gives them additional peace of mind which means more sales and more money to your bottom line.

For anyone that is serious about their online business, I recommend that even if you're not required to be PCI DSS Compliant by your acquirer, that you still become PCI DSS Compliant because you'll get more sales and more repeat customers by having a Trust Guard Security Scanned seal on your site than without one, especially when you consider how affordable we've made it for small businesses.


Do I have to be PCI DSS Compliant in order to do PCI Scanning?

Not necessarily. If you're a level 4 merchant (IE. process less than 20,000 transactions/yr.), your acquirer may or may not require PCI DSS Compliance. If they don't, you can still use our PCI Scanning service to scan your website for vulnerabilities, and display one of our Trust Guard PCI Security seals. Our seals are awarded based on successful PCI Scans, not on PCI DSS Compliance, which gives you more flexibility.


Why are your competitors so expensive?

Good question - we've asked ourselves the same thing.  Our PCI Scanning services are generally more thorough, we typically scan for more vulnerabilities, than the competition and are ASV (Approved Scanning Vendor) certified just like theirs.

What can I expect once I sign up for Trust Guard PCI Scanning?

As soon as you sign up for our PCI Scanning service, you get an email with access to your Member Control Panel, where you start the verification process.  One of the verification options in your control panel allows you to add your websites domain or IP address (along with additional IP addresses applicable to your website) into the system and start the PCI scanning process.  As soon as the scans are complete, you will be able to review the reports and see if there are any critical vulnerabilities that need to be resolved by you, your host, or your shopping cart provider.  There is also direct access in your control panel to the SAQ (Self-Assessment Questionnaire), along with helpful instructions that simplify the process so that you can complete the questionnaire as quickly and accurately as possible.  As soon as your scans pass and your SAQ is complete, you simply forward them on to your acquirer.  The process is very straight forward and user-friendly.


What makes Trust Guard different than everyone else?

We'll, first of all, our price is almost half of our competitors, which makes it much more affordable for online businesses.  Also, since we're the leading 3rd party website verification service online, we're the only company that offers both the PCI Security Scanned seal and Security Verified seal options, which means that if for some reason your website doesn't pass the more stringent PCI Security Scanned seal requirements, your site still qualifies for our Security Verified seal which will automatically display until your site passes the necessary PCI Scanning requirements - this unique backup feature ensures that you always display a valid security seal on your site.  In addition, we offer our Privacy Verified, Business Verified, and Certified seals which perfectly compliment the Security Scanned seal and are proven to further increase your conversion rate.  We've also included innovative tools in your account like the Professional Privacy Policy Creator and our Built-in Split Testing which lets you measure the exact increase in conversion that Trust Guard seals add to your site.  When you throw in our exclusive 50% members discount on all additional seals and the ability to effortlessly manage multiple domains with one account, no one even comes close to the services we offer.  We even give you a 60 day Double your Money Back Guarantee because we know without question that we'll increase your sales, and we even give you the tools to prove it.


Final Thoughts

In my opinion, the true value of PCI really boils down to two things; your customers perception of your website's security, and your Return on Investment (ROI).  When your customers perceive that your website has advanced security measures in place to protect them, they have much more confidence and trust in your website, and are more likely to buy from you, which in turn increases your ROI.  In nearly every case, the return is far more than it ever costs for the service.  Click to see your ROI with Trust Guard seals.

 

Well, I hope this information has helped you see PCI from a new, fresh perspective, and that you'll be able to make a better, educated decision when it comes to PCI Scanning and compliance.  Here's to your online success!

Sincerely,

Scott Brandley Co-founder
Trust Guard