Every merchant who accepts credit cards on the Internet is required to be PCI DSS compliant.

I just want to leave that up there as a fact, because there is an awful lot of misinformation on the Internet (XKCD link) but my above statement is unequivocal.

You may have been told that you don’t need to be PCI DSS compliant because you don’t handle card data – you send it to a processor like SagePay or RealEx. This is not true. It’s certainly a lot easier to become compliant by using a third party payment provider, but you still have to be compliant.

You may not think that you need to be compliant because you don’t take payment over the Internet – just in person, or on the phone. Brother: you are about to have a very bad day. If there was anything that makes compliance expensive and difficult, it’s handling card information in the real, non-virtual, world.

And if you do both? Or all three? Or mail order? You can expect to fill in the full SAQ-D questionaire which applies to ‘other merchants’ which don’t fully fall into the other SAQ categories.

There aren’t levels of compliance: no A, B, C or D (those are just references to different questionaires) and no 1, 2, 3 or 4 (those are merchant levels). Different merchant levels need to validate their compliance differently, but everyone needs to be compliant.

[quote person=”Wikipedia PCI DSS Entry” link=”http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard”]”Smaller merchants and service providers are not required to explicitly validate compliance with each of the controls prescribed by the PCI DSS although these organizations must still implement all controls in order to maintain safe harbour and avoid potential liability in the event of fraud associated with theft of cardholder data.”[/quote]

Not only that, but no one who was actually compliant has been the victim of a breach. This is also a common misconception, because Target were “PCI DSS Compliant” (scare-quotes intentional) despite their obvious breach.

This is another case where really careful sematics are important: they may have said that they were compliant, thought that they were compliant and even had a QSA say that they were compliant – but they were not compliant at the time of the breach – if they had been then the famous HVAC remote access would not have happened, and those card numbers would not have been stolen. (For anyone lucky enough not to have read the PCI DSS specification, this violates section 8.3 – mandating two-factor authentication for access to the cardholder data environment)

[quote person=”Visa Chief Enterprise Risk Officer, Ellen Richey” link=”http://www.cso.com.au/article/296278/visa_post-breach_criticism_pci_standard_misplaced”]”…no compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach.”[/quote]

PCI DSS forms a basic underpinning of your secure business. If you are dealing with credit cards (which almost all business with e-commerce are) you and your web developers and your operations people should be working within this framework.

The evidence of so many high profile compromises should make this clear: if you are not doing at least what the PCI DSS says then you are putting your business at risk.