How to Conduct a PCI-DSS Self Compliance Audit for eCommerce
How people shop has shifted and now, more than ever, it’s a great time to be an eCommerce store. According to BigCommerce.com, 51% of Americans say they prefer doing their shopping online compared to making their purchases in-store, citing convenience, price and, a slew of other factors. Businesses that sell exclusively online also have their own reasons for remaining without a physical presence; such as less money spent on overhead and staffing.
But when it comes to IT security and protecting credit card information, they aren’t exempt from upholding similar standards as their brick-and-mortar counterparts. The Payment Card Industry Security Standards Council sets compliance standards for online stores around the data businesses keep on hand.
In order to become PCI-DSS compliant and maintain that status, there are assessments that all businesses need to conduct regularly and pass.
However, for the remainder of this post, the information will be based on two assumptions:
- Your cardholder data functions are completely outsourced to validated third parties, and you retain only paper reports or receipts with cardholder data.
- You’re either an eCommerce or mail/telephone-order merchant (card-not-present), and do not store, process, or transmit any cardholder data in electronic format on their systems or premises.
Are you Eligible To Complete the Self-Assessment Questionnaire A?
Before even starting a PCI compliance audit, the Security Standards Council has a list of questions that should be answered.
Statements that need to be true for your organization and questions* that you need to answer yes to before continuing on with the Self-Assessment Questionnaire A (SAQ A):
- You accept only card-not-present (e-commerce or mail/telephone-order) transactions All processing of cardholder data is entirely outsourced to PCI-DSS validated third-party service providers You don’t electronically store, process, or transmit any cardholder data on your systems or premises, but rely entirely on a third party(s) to handle all these functions
- You have confirmed that all third party(s) handling storage, processing, and/or transmission of cardholder data are PCI-DSS compliant
- Any cardholder data you retain is on paper (for example, printed reports or receipts), and these documents are not received electronically
- All elements of the payment page(s) delivered to the consumer’s browser originate only and directly from a PCI-DSS validated third-party service provider(s)
Preparing for the PCI-DSS SAQ A
In order to complete the PCI-DSS Self Assessment A, which is for eCommerce/mail/telephone-order businesses that do not store, process, or transmit cardholder data on their systems, there are few items you’ll want to have prepared:
- General Business Information: Prepare for questions about location, type of business, and contact information.
- Information on the payment application(s)/platform(s) you use.
General Requirements for PCI-DSS Compliance as an eCommerce Store**
Much of what was updated within the PCI standards for v3.2 revolves around the access and the protocols merchants keep surrounding data. Here are some of the general requirements that eCommerce businesses are expected to comply with:
Do Not Use Vendor-Supplied Defaults for System Passwords and Other Security Parameters
The first requirement presented in the SAQ A assessment is to change ALL default passwords. Any third party accounts, software, applications—anything with any type of default set for security parameters.
Additionally, this portion of the questionnaire calls for businesses to verify if any default accounts have been either removed or disabled on a system before being installed on your network.
Identify/Authenticate Access to System Components
As previously discussed in the Essential PCI Compliance Checklist, PCI compliance isn’t an annual goal, instead, it can occasionally become a moving target. In the v3.2 update of the PCI-DSS there were stricter requirements surrounding passwords and access.
This portion of the questionnaire focuses on how your system users are interacting with sensitive data. Are your users assigned unique IDs prior to accessing cardholder data? Does your business immediately revoke or deactivate access for users who are no longer with your business? Many organizations utilize a file integrity monitoring software to help identify, authenticate and restrict access to sensitive files. Learn more about how FIM software fits into PCI-DSS compliance here.
Restrict Physical Access to Cardholder Data
Another key requirement for PCI-DSS compliance for eCommerce businesses is how data containing payment information is store sand shared.
For this portion of the questionnaire, you should have answers to questions about:
- How media is sent and whether or not it can be tracked
- How media is stored and whether or not there is strict control
- How physical/hardcopy information is destroyed
- What policies do you have in place that you maintain surrounding physical access
Maintain a Policy Addressing Information Security for All Personnel
The final portion of the SAQ A assessment focuses on a business’s IT security policies and procedures and policy/procedure maintenance. Section 12.81 requires you to maintain “a list of service providers” with a description of the service(s) they provide.
The questionnaire asks if you maintain a program that monitors the PCI-DSS compliance status of your vendors, as well.
**All requirements above have been identified using pages 4-9 of PCI DSS v3.2 SAQ A, Rev. 1.1
Want to see if your organization is PCI-DSS compliant? Download the free checklist and walk through each of the steps discussed in this post.
Since 1999, Jacqueline has written for corporate communications, MarCom agencies, higher education, and worked within the pharmacy, steel and retail industries. Since joining the tech industry, she has found her "home".