What Is PCI Compliance Scope?


The phrase “PCI compliance scope” is commonly used in two different ways. First, you might see something that says your website is either in scope or out of scope for needing to comply with the PCI compliance regulations. The other way you might see PCI compliance scope is relating to ways to reduce your PCI compliance scope. In this article we will talk about how you know if you are in scope or out of scope and the different things you can do to reduce PCI compliance scope for your website.

In Scope vs Out of Scope

Despite the vast quantity of confusion and misinformation out there regarding PCI compliance, the bottom line is really quite simple. If your business allows customers to purchase your products or services with a credit card, then your business is in scope. The only way to be out of scope is to simply not accept credit card payments in any way.

It’s also important to realize that PCI compliance applies to your business as a whole. So, even though we will be talking almost exclusively about PCI compliance for e-commerce websites, you should be mindful of the fact that it is your business, not just your website, that is considered for PCI compliance. You don’t even have to have a website in order to be in scope for PCI compliance.  For example, if you accept credit card payments over the phone, through the mail, or have a point of sale terminal – all of those things put your business in scope for PCI compliance.

Another widely held misunderstanding is that if you simply install an SSL certificate on your website then you are out of scope, or, perhaps, that’s all you need to do to achieve PCI compliance. So, to be clear, installing an SSL certificate does NOT make your website PCI compliant. It all depends on how you accept credit card payments and how much of the payment process you handle on your own that determines what you need to do to achieve PCI compliance for your website.

Bottom line: If your business accepts credit card payments in any way, you are in scope for PCI compliance.

Reducing Scope

So now that we know that accepting credit card payments puts your business in scope for PCI compliance, let’s talk about things you can do to reduce the scope. In this sense, PCI compliance scope is very much like project scope for a consulting web development project. Suppose you run a web development agency and you build custom WordPress sites for your clients. A client comes to you and has a chain of restaurants. He wants to build a website that has a directory listing of all the restaurants in the chain. In addition, he wants visitors to the site to be able to type in their address and search for the nearest location to their address.

After discussing the cost and time implications of building out the distance based location search, your client decides they don’t really need that feature right now. That decision reduces the scope of the project. In other words, you have to do fewer things to build this website.

PCI compliance scope works in a similar way. It is essentially the number of things you have to do to comply with the regulations intended to ensure the security of the credit card payments. There are two different ways you can do fewer things. One way, is you could simply not do certain things like storing credit card numbers. Without storing credit cards you won’t be able to have features like recurring payments, subscriptions, or storing billing information to make future checkouts faster and easier for your repeat clients. If you don’t store credit card information then you don’t have to comply with the regulations for how to properly and securely store that type of data. That reduces your PCI compliance scope.

Perhaps the better way to reduce scope is not to simply throw out the features you want for your website, but rather to outsource the implementation of those features to a third party service. In the example of storing credit cards, many payment gateways have secure vaults where you can store credit cards. Then you can have recurring payments, subscriptions, and so forth but you have still reduced your PCI compliance scope by outsourcing the implementation of storing credit cards to a third party service. This same principle can be applied throughout your e-commerce website. You can continue to reduce the scope by handling fewer and fewer components of credit card processing yourself and relying more and more on secure third party services. This can cascade all the way down to using a secure hosted payment page where ALL of the credit card processing features are handled by a secure third party service. Remember, this does not remove your business from being in scope entirely because, at the end of the day, your customers are still paying you with their credit cards. But it does dramatically reduce the number of things you have to do to meet the PCI compliance regulations. In other words, it reduces your scope.

Self Assessment Questionnaires

One way to measure the scope of your PCI compliance is by what Self Assessment Questionnaire you need to fill out. When you sign up for a payment gateway or a merchant account you will probably have to fill out a self assessment questionnaire so that your merchant bank knows that you are being responsible with the security surrounding the credit card payments on your website. We will talk in much more detail about the differences between the types of SAQs, but for now the important thing is that you want to be able to use SAQ A. This is the shortest and easiest questionnaire to complete. It is basically just one page with 13 questions where you sign off on the fact that you outsource all of the payment processing to secure, PCI compliant, third party services and you don’t handle any of the credit card data yourself. This includes not only storing and processing credit card data but also collecting and transmitting it as well.

This begins to uncover why having an SSL certificate has very little to do with your PCI compliance. The much more important factor to consider is how do you handle credit card payments. For example, if you are using a third party hosted payment page, you don’t even have to have an SSL certificate at all. If you are collecting and transmitting credit card data from a form that you host on your website, then you have to do far more than just install an SSL certificate. You will need to comply with SAQ A-EP which is a 51 page form with over 130 requirements. Even if you were technically minded enough to be able to answer all of those questions, your web host would almost certainly not be able to comply with the requirements. For instance, you have to disable all insecure communication channels like FTP. So, if you can FTP in to your web site, you won’t be able to meet the requirements of SAQ A-EP. Other requirements include firewalls, turning off certain ports, vulnerability scans, log monitoring, etc. The point is you would need to spend a lot of money on your web hosting environment in order to comply with the requirements in SAQ A-EP.

Cart66 Gives You The Best Of Both Worlds

It is very important that you find a solution like Cart66 that provides a secure hosted payment that works with over 100 different payment gateways. Cart66 reduces your PCI compliance scope to the maximum degree. You can complete SAQ A (the short easy questionnaire). Cart66 provides the most customization possible for any hosted payment page. Cart66 will skin your hosted payment page with your WordPress theme so it literally looks exactly like the rest of your WordPress site.

There are other third party hosted payments services. Perhaps most notable among the third party hosted payment services is PayPal. The problem with PayPal, however, is that it looks absolutely nothing like your website. So when people go to pay, it is very obvious that they are leaving your website and bopping over to PayPal. You lose all your branding. You lose the flow of your design. Worst of all, statistics show you also lose customers. Perhaps they get confused as to where they are now that they have left your site. There could be confusion over whether or not they have to have a PayPal account in order to pay with PayPal. For a variety of reasons, using PayPal as your only payment option is not an ideal situation.

Cart66 let’s you use any of over 100 different payment gateways including Authorize.net, Stripe, and even PayPal on a secure payment page that is hosted on the PCI compliant Cart66 Cloud servers. Best of all it looks exactly like your WordPress site because it is using your WordPress theme to design the hosted payment page. When using Cart66 you don’t even have to use an SSL certificate on your own site because your site doesn’t handle any aspect of the payment process.

When using Cart66 Cloud to power your e-commerce, the flow is essentially like this:

  1. Your customers shop entirely on your WordPress site
  2. When it is time to checkout your customer is seamlessly transferred to your secure hosted payment page that looks exactly like your WordPress site. This is where then enter their payment information.
  3. After paying for the order, your customer is seamlessly placed back on your WordPress site to view the order receipt.

Using Cart66 you reduce your PCI compliance scope as much as possible without having to give up your branding and design.