What the serious heck is PCI compliance and PCI DSS?
PCI compliance is a phrase fairly unknown to most people, but one that can send chills down the back of those familiar with e-commerce. Why? Because it can be super-scary, and I’m here to make you feel a bit better about it.
PCI compliance, or payment card industry compliance, is born out of something called PCI DSS (data security standards). There’s a lengthy history of PCI DSS, but here's my summation:
Internet: “It’s 2006, and OMG, so many people are using credit cards to make online purchases with me!”
Bad people in the world: “Wow, it’s 2006 and so many people are using their credit cards online. I can totally steal the credit card information super easily and make fraudulent purchases at places you’d never shop.”
Smart techie people: “We need to form a governing body, and set some rules set in place to stop the bad people from doing bad things to people with poor taste in where they shop. Okay, let’s start PCI DSS, and it’ll be a list of things that companies must do to protect consumers from said bad people.”
And thus, my friends, PCI DSS was born.
Should you care about PCI compliance and PCC DSS?
Yes. If your nonprofit sells anything or accepts donations, then you need to make sure the service you use to accept those funds is PCI compliant. If you’re a consumer, then you should also know if a company or nonprofit you're giving your money to is PCI compliant.
Why should nonprofit leaders really, really care?
If your transactions are hitting your server in any way, you’re liable. If there’s a security breach and you're not compliant, you can be fined from $5,000 to $500,000 per month.
What can you do about PCI compliance and PCI DSS?
There are a few options. If you’re looking to read through hundreds of pages of technical PCI DSS guidelines, then have at it. However, since the interwebs are filled with so many e-commerce platforms, they can take the heavy lifting and let you do what you're good at: selling goods and services. Many e-commerce platforms have likely invested millions to make their platforms as secure as possible.
Let’s go over some basic terminology:
- E-commerce package: This is what sells your products; you may call it an online shopping cart. Sometimes it's integrated into your site, sometimes it's a stand-alone.
- Online donation tools: The service you use to accept online donations, such as Network for Good.
- Merchant's web server: Where your e-commerce is hosted. If you're using a package such as Shopify, this is most likely also your web server.
- Payment gateway: This is what connects the e-commerce package to the banks. Think of the payment gateway as the super gossipy kid in class that's passing notes back and forth to everyone.
- Settlement bank: This is where your funds get settled (aka your bank).
So someone buys a Grumpy Cat t-shirt off your site (e-commerce package), it goes through the payment gateway, your payment gateway chats with the e-commerce platform (which may or may not be part of your site) and eventually deposits funds into your bank account. Within that process, it could also hit the merchant web server. In that case, you'd be totally open for PCI DSS scrutiny. The same process applies for online donations.
So instead of using an e-commerce or donation platform and a payment gateway that hits your own servers, you can use a fully hosted solution (which lives on their servers, so it's their liability). Any time you’re evaluating any service or tool that accepts online payments, be sure you ask about this aspect in writing: “Are you 100% fully PCI compliant?”
Surprisingly, many vendors will start to dance and avoid the question. If they do this—run, don’t walk, away. We’ve had conversations with well-known form services that “leave it up to the customer to handle PCI compliance.” This is not good practice.
Some e-commerce platforms are fully compliant, and take pride (as they should) in it. For example, Shopify boasts full compliancy. However, it’s also important to ensure any payment gateways they work with also claim the same. This is imperative. Some sites, like BigCommerce, seem to be a bit more vague with their statement.
If you take a look at the two links above, you’ll see a really noticeable difference: Shopify is quite straightforward about it. “Yes, Shopify is certified Level 1 PCI DSS compliant. This compliance extends to all online stores powered by Shopify,” says their site. BigCommerce’s explanation seems to dance around the fact a bit: “BigCommerce takes care of the vast majority of the steps toward PCI compliance for any customer on our platform.” BigCommerce may be PCI DSS compliant, but it’s a bit difficult to tell. These are the red flags to look for.
In general, when the payment is hosted elsewhere (say PayPal), it’s safer to know they’re compliant. However, with PayPal’s “on page” payment solution Payflow, where the transaction is made on your site (e.g. www.myshop.com/payment) vs. (www.paypal.com), PCI compliance once again becomes a major concern.
The same red flags go for anything that receives payment: online forms, donations, event registrations, you name it. These are questions you should be asking yourself, your IT team, your app vendors (e.g. Shopify, Wufoo, etc), to make the best decision for your organization and your resources.
To make sure your nonprofit is PCI compliant, you don't need to understand PCI DSS inside and out—you just need to understand the basics, what questions to ask, and what the red flags are.