Learn some tricks to getting your ecommerce business PCI compliant. 

By Mike Misasi
When it comes to payments, data security means one thing—PCI Compliance. If you’re running an ecommerce business, you probably already know that the card networks require all merchants to comply with the Payment Card Industry Data Security Standard (PCI DSS).

SEE ALSO: PCI DSS 3.2 Changes: What Your Business Needs to Know

Compliance with these standards can be a cumbersome process, requiring a significant investment of internal resources and possibly an external audit. The crux of the issue is that merchants must demonstrate every device and system that interacts with cardholder data is PCI DSS compliant. Fortunately, the solution lies in the problem itself—removing card data from the IT environment reduces the scope of compliance.


When integrating with a payment processor, ecommerce merchants have a few options to consider regarding how cardholder data will be stored and who will be responsible for protecting it.

Client-side encryption (CSE) 

With CSE, cardholder data is encrypted in the browser before it is ever sent to the merchant’s servers. Only the payment processor is able to decrypt the data so this solution eliminates the compliance requirements that relate to storage and transmission of unencrypted card data. Merchants that use CSE must fill out a 139-question compliance questionnaire (SAQ A-EP) and conduct internal and external network scans.

Compliance can be reduced further though. To minimize the compliance requirement, merchants should not even host any payments fields on their checkout pages. Merchants have two options – hosted checkout pages and hosted fields. When using either of these hosted solutions, merchants need only compete a 14-question compliance questionnaire (SAQ A) and no network scanning is required.

Hosted checkout pages

With hosted checkout pages, the payment processor hosts the entire checkout page on their servers, completely shielding the merchant from any cardholder data. In addition to solving for PCI compliance, some providers have checkout pages that offer other valuable tools such as out-of-the-box support for alternative payment types, multi-currency processing, and localized language support.

Merchants that choose a hosted checkout page reduce compliance and development work, but sacrifice some control over the checkout flow. If complete control over checkout is a requirement, merchants should implement hosted fields.

Hosted fields

These fields offer the compliance benefits of hosted checkout pages while allowing for checkout page customization as with client-side encryption. With this approach, the merchants build their own checkout page. However the payment fields (card number, CVV, expiration date) are rendered as iFrames that are hosted by the payment processor.

Secure your data

Accepting credit cards is not without risk.
Data breaches can result in fines, damaged reputation, lost sales and possibly even criminal liability.
Therefore, it often makes sense for merchants to have their payment provider manage all cardholder data on their behalf. CSE, and especially hosted solutions, reduce compliance-related expenses and exposure to hackers looking for financial data.

SEE ALSO: The Importance of the PCI DSS: Why You Should Get Compliant

About BlueSnap
BlueSnap is a global payments technology company that optimizes global, mobile checkout and drives higher payment conversions by as much as 40 percent for ecommerce merchants worldwide. Their Powered Buy Platform fuels the growth for businesses eager to serve the global consumer and take advantage of the incremental sales opportunities that they represent. Learn how BlueSnap is fulfilling its promise to eliminate friction and convert more shoppers to buyers worldwide at home.bluesnap.com.