Outsourced e-commerce and PCI DSS – what you need to know

A presence on the Internet is considered essential for modern business, and the UK Government’s digital inclusion policy aims to get SMEs online and part of the digital economy. For many small companies, however, going online and taking payments for services online is new and uncharted territory.

There’s a wide range of regulations, standards and requirements that an organisation must meet to trade within the digital economy, which is a challenge that many companies don’t appreciate when they begin. In particular, the Payment Card Industry Data Security Standard (PCI DSS) and distance-trading regulations present notable difficulties.

Male hand using computer and credit card for online paymentPCI DSS

The PCI DSS was initiated by the payment brands (Visa, MasterCard, American Express, Discover and JCB) to combine their individual data security requirements into a single set. The Standard is developed by the PCI Security Standards Council (SSC). It contains requirements for storing, processing or transmitting cardholder data, and includes anything that might affect this. Merchants who accept payment cards from the five brands are responsible for ensuring the payment collection process complies with the standard. Merchants cannot delegate the accountability, even if the whole payment process is handled by third parties.

One of the pitfalls I come across when advising companies about the PCI DSS is that in many instances they already have an e-commerce presence, but it does not comply with the PCI DSS.

For example, they have a website designed, hosted and managed by third parties to take card payment online rather than do it themselves. This is a good option for many companies, as developing or hiring the expertise to do so in-house can be expensive and time-consuming. In many instances, however, they find that the process of meeting the requirements of the PCI DSS has become very difficult because the suppliers themselves are not PCI DSS-compliant.

Outsourcing e-commerce compliance

For companies that do not meet the level 1 merchant status caught in this situation, there is a cut-down version of the PCI DSS self-assessment questionnaire (SAQ), SAQ A, which applies to “Card-not-present Merchants, All Cardholder Data Functions Fully Outsourced”. It was developed by the SSC to address requirements applicable to merchants whose cardholder data functions are completely outsourced to validated third parties, where the merchant retains only paper reports or receipts with cardholder data.

The full eligibility criteria for completing an SAQ A is described within the document, but the main requirement is that cardholder data functions are completely outsourced to validated third parties. “Validated parties” are service providers that are PCI DSS-compliant for the services they deliver, which may include the following:

  • Website design
  • Physical hosting
  • Managed hosting
  • Payment processing

There is a distinction between being certified as a merchant and being certified as a service provider. A service provider will have an Attestation of Compliance (AoC) for either a Report on Compliance (RoC) or an SAQ D for service providers; the AoC will state the services being covered.

It is important to confirm that the AoC includes the services you are contracting, as some companies get caught out because their service provider is certified as a merchant rather than a service provider. In these cases, the ‘service provider’ is approved to take payments, but may not be certified for the services they are actually offering.

For example, you could pay for a website design company to create and host a website that takes payments by credit card. Meanwhile, the website design company may have outsourced its e-commerce operation and completed an SAQ A. When asked for evidence of compliance, it may offer the SAQ A as proof of certification, but this only covers its merchant activity and not its software development and hosting services. It should have an SAQ D for service providers to prove that its services are PCI DSS-compliant, and present the AoC showing this when requested.

The problem

In my experience, companies get caught out by having a website designed and hosted, and then finding they have to comply with the PCI DSS when their acquiring bank asks for an SAQ. At this point, they discover that their suppliers are not PCI DSS-compliant for the services contracted, and that they don’t have sufficient information to complete an SAQ D because they don’t have control over the hosting or management of the website. They’re left unable to meet the acquiring bank’s request.

The company is then left with few options:

  • Ask the suppliers to become compliant.
  • Audit the suppliers as part of the company’s compliance.
  • Change to a certified supplier.

None of these options are attractive or easy to complete. When a company is non-compliant, they can be fined by the acquiring bank monthly, pay additional transaction costs or, in extreme cases, have the ability to process payment cards removed.

Advice

My advice for companies thinking about starting an e-commerce operation is to contact a PCI DSS expert to get advice on the Standard before actually implementing the website. This can save a lot of hassle, time and money in the long term.

There should also be more effort by governments, acquiring banks, payment brands and payment processors to makes sure those new to online payments can get the right advice.

As an approved QSA company, IT Governance is ideally positioned to help organisations comply with PCI DSS v3.0. Find out more about our PCI QSA services >>>