Should I be PCI Compliant?

Under certain circumstances your website may not need or require to be PCI DSS compliant. At Quantum, we believe that all online businesses should work to best practice, and ensure that their websites meet all of the necessary data security standards, even if technically it is not currently required of them.. The Payment Card Industry is constantly reviewing PCI DSS requirements and increasing the minimum level of compliance, so it is always better to be prepared.

Does your website need to be PCI DSS Compliant?

Below is a simple flow chart to help you assess if your website needs to be PCI DSS compliant:

Ecommerce Websites & Payment Card Industry Data Security Standards

Many web companies inform their clients that they do not need to comply with the Payment Card Industry Data Security Standards if they are processing payments on a payment gateway provider's own level 1 servers. Unfortunately this is simply not the case.

Using the diagrams below you can decide for yourself if your system/online business needs to comply.

DIAGRAM 1: SECURE SOLUTION

PCI DSS Secure Example

DIAGRAM 2: NON-SECURE SOLUTION

PCI DSS Unsecure Flow

In Diagram 2 the hacker has compromised the non-compliant system and changed the payment route.

Many security breaches happen prior to the customer being passed to the level 1 compliant server. Hackers breach the non-secure systems and then re-direct where the payment is taken, collecting/skimming and compromising card data.

The re-direct normally would then be pointed to a clone payment system that looks and feels like the real payment system, so as not to arouse suspicion to the customer, and sometimes not even the site owner.

In this scenario the breach is prior to the level 1 PCI DSS server, leaving the merchant account holder with a non compliant system and a technical breach of PCI DSS requirements.

PLEASE NOTE:

1) It is the merchant account holder's responsibility to comply with the latest PCI DSS requirements.

2) The supplying web company does not have any responsibility or liability to provide a secure compliant solution unless specified in writing on the quotation or on the purchase order.

3) If your website has a security breach and your customer account data is compromised, would that affect your online business, if your clients knew your site did not meet Data Security Standards?

4) Would you shop on a website that was not secure?

5) Quantum maintains a best practice at all times policy, and that is why we only supply compliant solutions.