When it comes to PCI compliance, e-commerce websites can create some special, and often confusing, circumstances. The site belongs to you. The web server belongs to an outside company. The underlying software was written by someone else, and there’s still at least one other company involved in actually processing the credit cards. So who, exactly, is responsible for what?

The short answer is that you, as the merchant, are ultimately responsible for being compliant if you accept credit cards through a website. It doesn’t matter who else is involved, or how they may be involved. It is your merchant account that will be on the line if you run into any problems.

If your website stores or transmits any credit card data, then you will need to complete self-assessment questionnaire C, sometimes referred to as SAQ C, in order to prove PCI compliance. This includes taking credit card information through forms or iframes, even if the actual processing is done by another party.

Understanding Self-Assessment Questionnaire C

Here are some important points from SAQ C that generally cause the most trouble for online merchants.

Section 1.3 requires that there be a firewall in place that prohibits access between the Internet and any component of the cardholder data environment.

What this means: The cardholder data environment is all of the components of your website, including any database(s) that it accesses. To meet this requirement, in most cases, means that your database needs to be on a separate server, not on the same machine as your website, connected by a virtual private network. Otherwise, the database is open to access from the Internet, and therefore not compliant.

Section 2.3 requires that all administrative communication is done through encrypted protocols.

What this means: All administrative access must make use of protocols such as SSH, VPN or SSL. For example, FTP is a non-encrypted protocol. If FTP is enabled to allow you to make updates to your site, your server is not PCI compliant.

Section 6.1 requires that system components and software have all of the latest vendor-supplied security patches installed. In addition, any new patches must be installed within 30 days of their release.

What this means: In most cases your hosting provider will manage system updates and security patches for the operating system and other components. You will need a written agreement from your host stating that all relevant patches will be applied to system components within one month of their release.

Section 8.3 requires two-factor authentication for remote access to the network by administrators, employees and third parties.

What this means: Two-factor authentication means that in addition to using a username and password to gain access to the system, another form of identification is used, such as receiving a private, one-time code through SMS or email. If you can access your systems with just your name and a password, you are not PCI compliant.

Section 11.2 requires that security and vulnerability scans be run at least once every three months, as well as after any significant changes to the network.

What this means: You will need to subscribe to a security scanning service and be sure that service is scanning your system(s) at least once every three months.

Workarounds That Don’t Work

It’s also important to note that there are a few common workarounds that some people may believe will exempt them from compliance requirements. Some sites have tried submitting credit card data directly to a payment gateway using Javascript, iframes, or what is known as a transparent redirect. This is done under the (incorrect) assumption that the credit card information is being given directly to the payment processor, and not actually being passed by the merchant website, thus getting around PCI requirements.

These types of workarounds do not exempt you from requirements. Even though your site may not be handling the actual data in these cases, the code that initiates any transactions is hosted on your server, making it part of the cardholder data environment. If your server or site is compromised, that code can be altered to hijack transaction information. If this were to happen, you would be the party held responsible for any fraud or other damage caused.

Do you have questions about e-commerce payments or PCI compliance? We’re here to help. Get in touch with us easily, any time, at 1-866-944-3244 or through ServisTree.com.