How Do I Tell If a Website Is PCI Compliant?

There is only one way for a consumer to tell if a website is PCI compliant. If the website accepts credit card payments, it is compliant. If the site sells merchandise and does not accept payment, it is not compliant. According to the Council, because of the standards set, "Compliance with the PCI set of standards is mandatory for their respective stakeholders, and is enforced by the major payment card brands who established the Council: American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. For example, any site that sends a person to another site, like PayPal, or other card processing site, they are non-compliant. They send the customer to the third-party sites because they have a contract with the third party to take the card payments for them. This is usually because the site itself is non-compliant.

According to PCISecurityStandards.org, the official website of the PCI Security Standards Council, the PCI DSS is "...a set of comprehensive requirements for enhancing payment account data security..." which was designed to include "...requirements for security management, policies, procedures, network architecture, software design and other critical protective measures." These PCI DSS standards protect consumers, credit card companies and the owners of the websites against credit card fraud, and other security problems.

The standards are a set of 12 requirements that every website must adhere to to process any type of credit card payment request. These requirements include maintaining the installation of certain firewall configurations, not using vendor-supplied "default" (common or standard) passwords, protecting cardholder data, encrypting the transmission of that data across public networks, developing secure systems applications, maintaining and regularly updating anti-virus software, restricting physical and need-to-know by business cardholder data, assigning a unique ID to those with computer access, tracking, monitoring and regularly testing all network resources and security systems and processes, and maintaining a policy addressing specific information security. If these standards are not met, the website or e-commerce site is considered non-compliant.

The Qualified Security Assessors (QSA) and Approved Scanning Vendors (ASV) play the role of the companies who help the other organizations examine and validate the payment security and compliance. These companies have certain processes and routines, as well as trained staff qualified for validating a PCI compliant website or merchant. Self-Assessment Questionnaires (SAQ's) are also available to the merchants and other service providers to self access their compliance. Different industries require a different SAQ. More information is located on the council's official website.