What is PCI compliance? secure payment processing

If you run a webshop and process online payments, you'll eventually come across the term PCI compliance. It's one of the most important security requirements for anyone who stores, processes or transmits credit card data. In this article, we'll explain what PCI DSS is, why it's mandatory and how to become compliant.

What is PCI DSS?

PCI DSS stands for Payment Card Industry Data Security Standard. This is a set of security standards developed by major credit card companies such as Visa, Mastercard, American Express, Discover and JCB. The goal is simple: to ensure the security of credit card data and prevent fraud.

The standard consists of 12 main requirements covering various aspects of data security. These range from setting up firewalls to regularly testing security systems. Every organization that processes credit card data must meet these requirements, regardless of company size.

Why is PCI compliance mandatory?

PCI compliance is not an optional guideline, but a contractual obligation. When you accept credit card payments as a merchant, you agree to the rules of the credit card companies. Non-compliance can have serious consequences:

You may face fines that can run up to €100,000 per month. Additionally, you risk losing the right to accept credit card payments, which would be disastrous for most webshops. In the worst case, you are personally liable for damages resulting from a data breach.

But it's not just about avoiding penalties. PCI compliance protects your customers from identity theft and fraud. It also increases customer trust in your webshop and protects your business reputation. After all, a data breach can be disastrous for your image.

The 12 requirements of PCI DSS

The PCI DSS standard is built around 12 core requirements, divided into 6 main objectives:

Build and maintain a secure network:

• Install and maintain firewall configuration to protect cardholder data
• Do not use vendor-supplied defaults for passwords and security parameters

Protect cardholder data:

• Protect stored cardholder data
• Encrypt transmission of cardholder data across open, public networks

Maintain a vulnerability management program:

• Protect all systems against malware and regularly update antivirus software
• Develop and maintain secure systems and applications

Implement strong access control measures:

• Restrict access to cardholder data by business need-to-know
• Identify and authenticate access to system components
• Restrict physical access to cardholder data

Regularly monitor and test networks:

• Track and monitor all access to network resources and cardholder data
• Regularly test security systems and processes

Maintain an information security policy:

• Maintain a policy that addresses information security for all personnel

Compliance levels: which level applies to you?

PCI DSS has four compliance levels, based on the number of transactions you process annually:

Level 1: More than 6 million transactions per year. This requires an annual on-site audit by a qualified security assessor (QSA).

Level 2: 1 to 6 million transactions per year. An annual self-assessment (SAQ) and quarterly network scan are required.

Level 3: 20,000 to 1 million e-commerce transactions per year. An SAQ and quarterly network scan also suffice here.

Level 4: Less than 20,000 e-commerce transactions or less than 1 million total transactions per year. The least stringent requirements, but compliance remains mandatory.

How do you become PCI compliant?

For most smaller webshops, the easiest path to compliance is using a payment provider that completely handles payment processing. Think of providers like Mollie, Stripe or Adyen. These companies are PCI compliant themselves and ensure that credit card data never touches your own servers.

If you do process payment data yourself, these are the steps:

Start by determining your compliance level based on your transaction volume. Then conduct a thorough security audit of your systems and infrastructure. Implement all necessary security measures according to PCI DSS requirements.

Complete the appropriate Self-Assessment Questionnaire (SAQ) for your situation. Have quarterly network scans performed by an Approved Scanning Vendor (ASV). And finally: sign an Attestation of Compliance (AOC) and keep all documentation.

The role of your hosting provider

Your hosting provider plays a crucial role in your PCI compliance. A good hosting provider offers PCI-compliant hosting with specialized security measures. They perform regular security updates and patches, provide SSL certificates and encrypted connections, and have physical datacenter security in order.

Some hosting providers are even PCI DSS Level 1 certified, meaning their infrastructure already meets the highest requirements. This makes your compliance process much easier.

Common pitfalls

Many webshops make the same mistakes when it comes to PCI compliance. They think they're too small to worry about, but even small webshops must be compliant. Or they assume their hosting provider bears all responsibility, while you as a merchant always remain ultimately responsible.

Another common mistake is storing credit card data without strict necessity. The rule is simple: if you don't need it, don't store it. Also ignoring regular security updates and scans is a risk. Compliance is not a one-time thing, but an ongoing process.

Practical tips for webshops

Preferably use an external payment provider that handles PCI compliance for you. This is by far the easiest and safest option. Never store unnecessary cardholder data. If you must store data, encrypt everything and implement strong access controls.

Ensure regular security training for your staff. Many data breaches result from human error. Document all security measures and procedures carefully. And always keep your software, plugins and systems up-to-date.

Continuously monitor your systems for suspicious activity and make regular backups. Conduct penetration tests to identify vulnerabilities before hackers do.

Costs of PCI compliance

The costs of PCI compliance vary greatly depending on your situation. For Level 4 merchants using an external payment provider, costs can remain limited to €50-200 per year for scans and certification.

For larger webshops processing payments themselves, costs can run into thousands of euros per year for audits, scans, security measures and certified hosting. But remember: the costs of non-compliance are many times higher. A data breach can cost you millions in fines, damage claims and reputation damage.

Future of PCI DSS

The PCI DSS standard is regularly updated to keep pace with new security risks and technologies. The latest version, PCI DSS 4.0, was launched in 2022 and brings new requirements around authentication, encryption and risk assessments.

The standard is also evolving toward a more risk-based approach, where organizations get more flexibility in how they meet requirements, as long as they can demonstrate that risks are adequately controlled.

Frequently Asked Questions

How much does web hosting cost on average?

Web hosting costs between €3 and €15 per month for shared hosting on average. VPS hosting starts around €10-€20 per month, and dedicated servers from €50 per month.

Can I upgrade to a different package later?

Yes, with most hosting providers you can easily upgrade to a larger package when your website grows. This can usually be done without downtime.

Is Dutch hosting better than foreign hosting?

For Dutch visitors, Dutch hosting is often faster due to the shorter distance. Additionally, communication with support is easier and you comply with GDPR legislation.