PCI Compliance: Do I Need It?

TL;DR

You might need to consider PCI compliance even without a server if you store, process or transmit cardholder data. This includes using third-party payment processors and even accepting payments over the phone. The level of compliance depends on how you handle that data.

Understanding PCI Compliance

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to protect cardholder information. It’s not a law, but if you take credit card payments, your bank and the payment networks (Visa, Mastercard, etc.) require you to comply.

Do You Need PCI Compliance Without a Server?

Yes, potentially. Having a server isn’t the only factor determining compliance. Here’s a breakdown:

1. Directly Processing Payments: If you directly enter card details into a system (even if it’s just a spreadsheet!), you absolutely need to be PCI compliant. This is rare these days, but it’s the highest risk scenario.
2. Using Third-Party Payment Processors: Most businesses use processors like Stripe, PayPal, Square, or SumUp. This doesn’t automatically mean you don’t have responsibilities! You still need to ensure your website and systems are secure.
3. Accepting Payments Over the Phone/Mail Order: If you manually record card details for phone orders, you’re handling sensitive data and require PCI compliance.
4. Storing Cardholder Data (Even Temporarily): Storing CVV codes is strictly prohibited. Even storing names, expiry dates or account numbers requires significant security measures.

Steps to Determine Your Compliance Level

1. Identify How You Handle Cardholder Data: Be specific. Do you:
   • Use a payment gateway? Which one?
   • Store any card details (even temporarily)?
   • Accept payments over the phone?
   • Have physical access to card data?
2. Complete a Self-Assessment Questionnaire (SAQ): The PCI Security Standards Council provides different SAQs based on your business type. Choose the one that best fits your setup.
   • PCI SAQ Finder
3. Understand Your Merchant Level: This is determined by your annual transaction volume:
   • Level 1: Over 6 million transactions per year or over £5 million in annual card sales. Requires the most rigorous assessment (e.g., a Qualified Security Assessor).
   • Level 2: Between 1 and 6 million transactions per year. Requires self-assessment (SAQ A, B, C, D) and regular vulnerability scans.
   • Level 3: Less than 1 million transactions per year. Requires SAQ A or SAQ B.
   • Level 4: Fewer than 10,000 transactions per year. Requires SAQ A.
4. Implement Required Security Controls: Based on your SAQ results, you’ll need to implement controls like:
   • Firewall configuration
   • Regular security scans (e.g., using a vulnerability scanner)
   • Anti-virus software
   • Strong password policies
   • Secure network configuration
   • Data encryption

Example: Using Stripe

If you use Stripe, they handle a lot of the PCI compliance for you. However, you’re still responsible for:

• Securing your website (HTTPS/SSL).
• Protecting your server environment (if you have one – even if it’s just hosting).
• Following Stripe’s documentation on secure integration.

Tools and Resources

• PCI Security Standards Council: Official website with all the standards and resources.
• Your Payment Processor’s Documentation: Stripe, PayPal, Square etc., provide guides on PCI compliance for their users.