Will You Be Caught Out by This Change to the PCI Rules?


If you take credit or debit card payments online, you probably know you need to be ‘PCI compliant’. What you may not know is that from January 2015 the PCI compliance rules are about to change. And in a big way.

Depending on how exactly you take payments, what you have to do to be ‘PCI compliant’ could be getting a lot more complicated.

There’s always been confusion around the PCI rules. Different merchants and people advising those merchants have interpreted the rules differently. And new technologies have arrived on the scene with new implications for security. To clear up some of the confusion and to address security concerns around these new technologies, from January 2015 the PCI Security Council is introducing a new revision (version 3.0) of their Data Security Standards (PCI DSS).

The big thing to know about the version 3.0 PCI DSS standards is that what you need to do to be PCI compliant is going to depend heavily on how exactly you’re taking payments on your site. The rules around this are going to be clearer than before. And they’re going to surprise a lot of people.

The standards identify three different categories for e-commerce businesses:

1) Hosted store/payment page/payment iFrame: you qualify for SAQ A

If (i) you’re using a compliant SaaS ecommerce platform (such as Shopify or BigCommerce), (ii) you redirect your customers to a secure payment page hosted by your payment processor, or (iii) you take payments via a secure iFrame provided by your payment processor, then you qualify for the simplest level of security measures. Your payment provider will ask you to complete a self-assessment questionnaire called ‘SAQ A’ to confirm you’re following some quite straightforward security practices.

2) Client-side javascript sends card details straight to payment processor: you qualify for SAQ A-EP

If your customers enter their card details into a form on your site that uses technology such as Stripe.js to send the card details straight to your payment processor without ever passing through your server, then you’ll need to complete a much stricter security self-assessment questionnaire called ‘SAQ A-EP’. This is much more demanding than SAQ A.

3) Anything else: you qualify for SAQ D

In any other case you’ll need to comply with the strictest security requirements and complete ‘SAQ D’.

So What?

The big issue here is around category 2.

A lot of small merchants have started using technology like the Stripe payment company’s Stripe.js assuming that this would keep their PCI obligations quite minimal. They’re the ones about to have a nasty surprise. With over 100 technical controls to have in place, complying with SAQ A-EP is far from minimal. In many cases it just won’t be feasible for small merchants to truly comply with it all.

These small merchants are going to have a couple of options: either change how they take payments (so that they qualify for the much simpler SAQ A) or be less than truthful somewhere in their PCI self-assessment documentation.

photo credit: DaveBleasdale via photopin cc

Matt Collins

Matt's the founder of PaymentBrain. He enjoys helping business owners navigate the confusing world of payment processing.

6 thoughts on “Will You Be Caught Out by This Change to the PCI Rules?

  1. Hey Matt, thanks for the excellent post. I haven’t seen many people talking about these changes which surprises me given as you say the impact on Stripe uses having to complete a SAQ A-EP. I also couldn’t find anywhere Stripe site or blog. How is this going to be enforced?

  2. Hi Geoff,

    Thanks for commenting. I assume it’ll be enforced the way PCI compliance is enforced now: monthly fees and/or account termination for non-compliance if the acquirer so chooses and, in the case of any data breach, the prospect of reputation damage and large fines from the card schemes.

    I’ve been in touch with Stripe directly about this and they are very much aware of it. The latest I’ve heard is that they’re working on a new version of their Stripe.js code that they think will allow merchants to keep using SAQ A.

  3. Hi Matt

    As an IT Manager for a company that has a small retail outlet, I am finding the constant changes around PCI becoming more and more frustrating. What is worse is the differences in the knowledge between the QSA’s who are meant to be the experts in this field.

    Do you know if there are any further changes scheduled for 2016?

Leave a Reply

Your email address will not be published. Required fields are marked *