International PCIDSS Compliance Checklist

Clarity Connect Provides the API Endpoints to Integrate your Marketplace with Any Front or Back-Office System
Finding the Right Solution Unique to Your Business

What is PCI DSS Compliance?

International eCommerce businesses that take card payments require PCI DSS compliance. In this article, we will talk about what it is and what it means for your business.

PCI DSS compliance stands for Payment Card Industry Data Security Standard. It came about through a council formed by the major credit card processing companies. These include Visa, MasterCard, Discover, American Express, and JP Morgan Chase Bank.

Many of these major credit card companies have gotten together for PCI Compliance. You will notice that Visa, MasterCard, and Discover generally have the same criteria to determine the "merchant level."

Incorporating Industry Best Practices

The Four Levels of PCI Compliance

There are four different levels of PCI Compliance. They are mainly based on the number of transactions per year.

  • Level Four: less than 20,000 transactions a year
  • Level Three: from 20,000 up to 1 million transactions a year
  • Level Two: from 1 million up to 6 million transactions per year
  • Level One: 6 million and above transactions per year

There is a baseline set of standards for all of the PCI compliance levels.

Baseline Protection and Security

Basic PCI Compliance Standards

There are 12 overarching basic PCI compliance requirements for all four merchant levels. These include:

  • Having a firewall to protect the cardholder data physically
  • Using secure passwords instead of the system defaults
  • Encrypting and protecting the card numbers and overall data
  • Any transmission of the credit card information through public infrastructure, public internet connections, etc., must be fully encrypted.
  • Antivirus applications must be running to detect any issues around security automatically.
  • Follow industry best practices to secure the systems and software.
  • Prevent access to credit card information by business need-to-know.
  • Ensuring there is a globally unique ID for each individual with access to the system.
  • Physical interaction with the infrastructure must be limited.
  • Monitor and track any access to cardholder data and network resources.
  • Automated and consistent manual testing to ensure system fidelity and optimize security infrastructure
  • Enabling and enforcing a policy to validate PCI compliance and ensure overall best practices for security are in place.
Overcome Any Obsticle

Challenges with PCI Compliance

One of the biggest challenges with PCI compliance in international eCommerce is that there are a lot of threats. They can get particularly hard to detect as you spread the net wider for global interactions and different types of transactions.

Now, this is where the merchant levels enter. The core concept behind levels is that the more transactions that occur within your business each year, the stricter security requirements it has to follow.

Ultimately, the security requirements that you have to complete for level one are very high. There is a report on compliance called a ROC that has to be completed through a qualified security assessor or a QSA. The QSA is essentially a third party. It comes in and does an audit. The report on compliance or ROC is very detailed and meticulous. Additionally, an approved scanning vendor (ASV) must conduct quarterly network scans and attest to the compliance form.

Level two requires an annual self-assessment questionnaire or SAQ. It is essentially the same for level three. You need to conduct a yearly SAQ, quarterly network scans by an ASV, and attestation of compliance form. Naturally, level four merchants have it a lot easier. The security requirements are not that high.

Encryting Sensitive Data

Data & Information Tokenization

All the PCI Compliance requirements can sound a bit daunting, even at level four. Therefore, many of the credit card processing companies encourage "tokenization."

Strict tokenization ensures the compliance requirements are not on the shoulders of the International eCommerce application. In that case, the PCI DSS compliance for an international eCommerce business involves following the best practices for adhering to that tokenization.

Input Sensitive Data Output Genericized

So, What is Tokenization?

It is a simple concept. Instead of having to store the customer's credit card information securely, your business can send everything directly to the C2C, B2C, or B2B payment gateway right away. In return, your platform gets a token that represents the customer's credit card information. Once you have that token, you can use it to perform the required action. The token allows you to show the card's payment process and the payment gateway that you have the credentials of a valid card. They match that token with your API key and credentials. Once they validate that the token is associated with a validated credit card and your account, you are allowed to run a payment against it.

Essentially, you can securely run credit card payments on your platform without having to complete all the 12 PCI Compliance requirements. While automated scanning and encryption can be beneficial, it can be challenging for new international eCommerce businesses.

All your platform needs to do is provide a one-way push of the sensitive set of information. In return, you get a non-sensitive, genericized token that will not work without the API keys securely stored in your system.

Finally, we encourage running an automated auditing and validation software, even if you decide to go with tokenization. It can help your international eCommerce business with PCI DSS compliance. While we strongly encourage tokenization, auditing software, and automated reporting will allow you to get as close to the PCI DSS 12 steps of requirements as possible. It can be beneficial even if you are not storing any data currently and employing tokenization. Because as your international eCommerce business scales to more regions, you might decide to collect card information directly.

How Clarity can Help

Clarity International eCommerce Experts

If you want to comply with the PCI DSS, the first thing you need to do is fulfill the 12 requirements listed above. After that, you may move on to other requirements according to your merchant level.

If you have any more questions related to this topic, we encourage you to reach out to our experienced team. They can provide a complimentary analysis. Or answer any questions about the next step in the process of expanding your eCommerce platform internationally. We certainly look forward to answering your question and talking with you about your upcoming international eCommerce project.

As you plan how to expand your eCommerce platform internationally, we encourage you to go through the resources below. Some of these can be helpful for your project.