TL;DR
If your US business accepts credit card payments, you almost certainly need to be PCI DSS compliant. SCA (Strong Customer Authentication) is becoming increasingly important, especially if you process transactions with European customers. This guide explains what each means and how to achieve compliance.
What is PCI DSS?
PCI DSS stands for the Payment Card Industry Data Security Standard. It’s a set of security requirements designed to protect cardholder data. It’s not a law, but any business that stores, processes or transmits credit card information must comply with it to avoid fines and potential legal issues.
Do I need PCI DSS?
- Accepting Credit Cards: If you take payments by card (online, in person, over the phone), you’re likely in scope.
- Third-Party Processors: Even if you use a payment processor like Stripe or PayPal, you still have PCI DSS responsibilities. You need to ensure they are compliant and that your integration with them is secure.
- Storing Card Data: If you store credit card numbers (even temporarily), the requirements are much stricter. Avoid storing this data if possible!
PCI DSS Compliance Levels
The level of compliance required depends on your transaction volume and how you process payments:
- Level 1: Largest merchants (over 6 million transactions per year) – requires the most rigorous assessment.
- Level 2: Merchants processing between 1-6 million transactions annually.
- Level 3: Merchants processing 20,000 – 6 million transactions annually.
- Level 4: Small merchants (under 20,000 transactions per year) – often can use a Self-Assessment Questionnaire (SAQ).
You can determine your level using the PCI DSS Levels Chart.
How to Achieve PCI DSS Compliance
- Choose a Payment Processor: Select a processor that is already PCI DSS compliant.
- Complete a Self-Assessment Questionnaire (SAQ): Most small businesses will use an SAQ. There are different types of SAQs depending on how you accept payments. You can find them here.
- Implement Security Controls: This includes things like:
- Firewalls
- Antivirus software
- Secure network configuration
- Regular security scans and vulnerability assessments
- Strong passwords and access control
- Submit Compliance Documentation: Your payment processor will likely require you to submit your completed SAQ or assessment report.
What is SCA?
SCA stands for Strong Customer Authentication. It’s a European regulation (PSD2) that requires two-factor authentication for online payments.
Do I need SCA?
- European Customers: If you process transactions from customers in Europe, you need to support SCA.
- Transaction Monitoring: Even if most of your customers are in the US, you may encounter European customers occasionally and should be prepared for SCA requests.
How to Implement SCA
- Two-Factor Authentication: Implement at least two of the following authentication factors:
- Something the customer knows (e.g., password)
- Something the customer has (e.g., one-time code sent to their phone)
- Something the customer is (e.g., biometric authentication)
- 3D Secure: Use a 3D Secure protocol like Verified by Visa or Mastercard Identity Check. Your payment processor can help with this.