Am I PCI Compliant if I Have an SSL Certificate?

The Payment Card Industry (PCI) is a regulatory body that is recognized by card networks and payment processors. It has established a list of 12 guidelines sub-divided into 6 categories. Abiding by these recommendations ensures your customers can safely pay you via credit card. There’s no physical (or virtual) document to prove compliance. Having an SSL Certificate is one of the main requirements of being PCI Compliant, but it’s not the only one.

Security features

Possibly the most important security feature in any card transaction is to secure customer data. When a customer swipes their card or types their card details on your online store, they need a guarantee that those details won’t be intercepted, stolen, or sold to third parties. This is because an unscrupulous fraudster could potentially use those details to illegally pose as that customer and use their credit card for their own purchases.

An SSL certificate ensures that your customers’ information is encrypted when it’s first entered on your website.  Ideally, data should be encrypted at all times from when the customer inputs throughout when it reaches the card networks and banks involved.

Points of compliance

Incidentally, some web developers offer TLS as an alternative to SSL. TLS is a later development from 1999, while SSL was publicly released in 1995. However, hackers have actively attacked these two security layers and the IETF (Internet Engineering Task Force) no longer endorses either. After PCI 3.1 (updated in 2015), they’re no longer considered valid security protocols. Here are the six categories of PCI compliance:

1. Build secure networks and maintain them.
2. Protect the data of your card holders.
3. Maintain a program to manage vulnerability.
4. Implement strong measures to control access to customer data.
5. Test and monitor your networks regularly.
6. Maintain a written policy on security.

In order to be fully PCI compliant, your payment gateway has to develop, implement, and abide by all the terms listed above. PCI compliance isn’t always mandatory, although it can be a requirement of your payment processor.  More importantly, many card networks refuse to transact with payment processors that are not compliant, so your customers may not be able to pay you if you are not PCI compliant. Also, if you somehow manage to receive payments outside PCI guidelines and something goes wrong, you and your customers may be at risk.

For more information on PCI compliance and SSL certificates, or to sign up for a merchant account, please call (888) 924-2743 or go to Charge.com.