An SSL Certificate Does Not Guarantee PCI Compliance

Many businesses would like to be PCI compliant, because it is a security standard that can help prevent security breaches. PCI stands for Payment Card Industry, but you sometimes see the abbreviation DSS attached as well, with DSS standing for Data Security Standard. Companies of any size can become PCI compliant.

When it comes to SSL certificates, it’s important to know that they are not sufficient for your company to be considered PCI compliant. While they do secure the connection between your website and your customers, it does not secure your webserver from attacks or intrusions. Even high assurance SSL certificates that provide the highest grade of customer security do not meet the PCI compliance standards, because there are additional steps to undertake.

How do I become PCI compliant?

The process starts with determining your business level based on the transaction amounts over a 12-month period. Each credit card company has its own level structure, with Visa having 4. For example, a Visa level 3 merchant processes between 20,000 and 1 million Visa e-commerce transactions on a yearly basis.

Once you have the level figured out, you will have to fill out the Self-Assessment Questionnaire (or SAQ), and follow the instructions laid out within. Then, you will have to pass a vulnerability scan done by an Approved Scanning Vendor. This is followed by the Attestation of Compliance, which is a document that will contain all the evidence that you are compliant with the requirements of the SAQ. Finally, it will be time to submit all the previously mentioned documentation, along with any other documents that may be requested.

What are the penalties for non-compliance?

PCI compliance is not mandated by federal law, but credit card companies may impose fines for non-complying companies. Larger fines are issued to the merchant bank that holds the account, and they can range from $5,000 to $100,000 for each month of non-compliance. The bank is then left with two options: they will either close your account, or raise your fees. The penalties are not made public, but they can devastate a small business.  Individual credit card processors can also impose additional fees upon non-complying merchants, which are typically under $100 per month.

Should I worry about PCI compliance if I’m just a one man business working from home?

PCI compliance is important for businesses of all sizes. Just because you work from home, does not mean that you will not be targeted by cyberattacks. On top of that, home-based businesses are perhaps the most vulnerable targets because cyber-criminals expect them to have low security measures. Attackers will apply the principle of the “path of least resistance” in order to gain entry, with home users being targeted through chat programs, P2P file sharing applications and internet games among others. If you are running a business from home, it’s best to shore up your defenses and become PCI compliant.

For more information on PCI compliance and various other security measures, or to sign up for a merchant account, please call (888) 924-2743 or go to


Leave a Comment