SSL and PCI Compliance Explained

Online security measures are essential for businesses that accept card payments either online or in store. SSL certificates and the PCI standards are two of the main security options when dealing with card payments.

What is SSL?

SSL stands for Secure Socket Layer, a standard security technology that establishes an encrypted link between a server and a client (for example, a website and a customer’s browser). This allows sensitive information to be transmitted online in a secure manner. SSL is a security protocol, which means that it determines how algorithms are used for encryption.

All browsers are able to interact with secure web servers using the SSL protocol. However, an SSL certificate is needed to establish a secure connection between the browser and the server. SSL certificates have a public and private key pair, that work together to establish this secure, encrypted connection.

SSL certificates create a trusted environment for customers to feel secure and be secure when making online payments. They are displayed on websites to visually indicate to customers that a site is secure, with an “https” address (with an “s” at the end) instead of an “http” address, and usually with a lock icon or green text in the browser address bar.  In fact, if you are viewing this article on the Charge.com website, where it was originally published, then this page is being displayed using the SSL protocol, and you can look at the browser address bar on this web page right now to see exactly how an SSL secured page looks on your web browser.

What is PCI compliance, and why is it important?

The Payment Card Industry Data Security Standard, or PCI DSS, is an established set of universal security standards for businesses to follow in order to protect sensitive consumer data such as credit card numbers and account passwords. Any business that handles even one card transaction is required to be compliant with these standards.

According to the PCI, the data that needs to be protected includes cardholder information (Primary Account Number, cardholder name, expiration date and service code) and Sensitive Authentication Data (full magnetic stripe data, CAV2, CVC2, CVV2, CID, PINs, PIN blocks and more).

The requirements for a business to be secure and PCI compliant

An SSL certificate is a large factor in becoming secure and PI compliant. Merchant Service Providers sometimes offer SSL certificates as part of their online payment processing services. Alternatively, businesses can create a Certificate Signing Request on their server to get an SSL certificate themselves.

SSL certificates are a large part of ensuring a business is secure online, but it is not the only requirement for PCI compliance. Merchants have different PCI requirements depending on their level, determined by the number of credit card, debit card and prepaid card transactions they process per year. The larger the business and the more cards it has access to, the higher the security risk, and therefore a higher level of security and PCI Compliance is required.

There are a series of steps to follow in becoming PCI compliant. Firstly, businesses need to complete a Self-Assessment Questionnaire (SAQ) to determine what their level of compliance. After this, there are vulnerability scans, Attestations of Compliance, and other documentation to submit to your acquiring bank before becoming PCI compliant.

For more information about SSL and PCI compliance or to sign up for a merchant account, please call (888) 924-2743 or go to Charge.com.