Thoughts

Do I need to worry about PCI DSS compliance?

The Payment Card Industry Data Security Standard (PCI DSS) was originally developed in 2008 to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally.

The current version of the PCI DSS is version 3.0, and this was published in November 2013. The PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data. It is widely adopted as the standard that banks, payment gateways and merchant providers have chosen to adhere to and impose on their clients.

From an agency’s perspective the important thing to understand about the PCI DSS is when it applies to their clients website and how they prove their compliance. The common story is the agency receives an email from their client forwarding an automated notice from their bank saying they must complete PCI DSS compliance and pay money for an automated security scan. The unfortunate truth is the vast majority of the time we see these requests they are unwarranted and a waste of time and money.

The easy way to know if the PCI DSS applies to you is to ask this question:

“Does anyone ever type a credit card number in to this website?”

If the answer is “No” then you have no need to worry about compliance and the correct course of action is normally a quick online quiz or selection, or letting the clients bank know, saying that you do not handle credit card data.

This question is often answered wrongly when people assume that because they have integrated with Sagepay, Worldpay, Secure Trading or similar that means they handle card information. In the vast majority of cases though this integration is actually a hand off to the payment gateways website where they handle the transaction and then pass the customer back to you (Paypal is a good example of this).

The only time the PCI DSS applies to you is if while entering the credit card number the address bar is showing the URL of your website. If this is the case then get in contact with us, we have a lot of experience in dealing with PCI DSS compliance checks and we can advise you on what to do and how to answer the questions your client is asking.