PCI Compliance

We are very serious about security. We work hard to ensure that your zeckoShop ecommerce solution is held to the highest level of security possible.


If you're looking to accept credit cards online, you need to meet certain payment card security standards, known as PCI compliance, to protect your customers' information.

What is PCI Compliance?

The Payment Card Industry Data Security Standard (PCI DSS) is a data security standard for organizations that handle credit card and debit card information. The standard was created to increase controls around credit card data to reduce credit card fraud via its exposure. If you want to sell online and accept payments from Visa, MasterCard, American Express or Discover credit cards, your software and hosting needs to be PCI compliant.

There are six categories of PCI standards that must be met in order for a merchant to be deemed compliant:

  • Maintain a Secure Network
  • Protect Cardholder Data
  • Maintain a Vulnerability Management Program
  • Implement Strong Access Control Measures
  • Regularly Monitor and Test Networks
  • Maintain an Information Security Policy

PCI Compliance FAQs

To whom does PCI apply?

PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.

If I only accept credit cards over the phone, does PCI still apply to me?

Yes. All businesses that store, process or transmit payment cardholder data must be PCI Compliant.

Do organizations using third-party processors have to be PCI compliant?

Yes. Merely using a third-party company does not exclude a company from PCI compliance. It may cut down on their risk exposure and consequently reduce the effort to validate compliance. However, it does not mean they can ignore PCI.

Are debit card transactions in scope for PCI?

In-scope cards include any debit, credit, and pre-paid cards branded with one of the five card association/brand logos that participate in the PCI SSC - American Express, Discover, JCB, MasterCard, and Visa International.

Am I PCI compliant if I have an SSL certificate?

No. SSL certificates do not secure a Web server from malicious attacks or intrusions. High assurance SSL certificates provide the first tier of customer security and reassurance such as the below, but there are other steps to achieve PCI Compliance.

What is defined as "cardholder data"?

Cardholder data is any personally identifiable data associated with a cardholder. This could be an account number, expiration date, name, address, social security number, etc. All personally identifiable information associated with the cardholder that is stored, processed, or transmitted is also considered cardholder data.

What is the definition of "merchant"?

For the purposes of the PCI DSS, a merchant is defined as any entity that accepts payment cards bearing the logos of any of the five members of PCI SSC (American Express, Discover, JCB, MasterCard or Visa) as payment for goods and/or services. Note that a merchant that accepts payment cards as payment for goods and/or services can also be a service provider, if the services sold result in storing, processing, or transmitting cardholder data on behalf of other merchants or service providers.

What constitutes a Service Provider?

Any company that stores, processes, or transmits cardholder data on behalf of another entity is defined to be a Service Provider by the Payment Card Industry (PCI) guidelines.

What constitutes a payment application?

What constitutes a payment application as it relates to PCI Compliance? The term payment application has a very broad meaning in PCI. A payment application is anything that stores, processes, or transmits card data electronically. This means that anything from a Point of Sale System (e.g., Verifone swipe terminals, ALOHA terminals, etc.) in a restaurant to a website ecommerce shopping cart (e.g. zeckoShop, etc.) are all classified as payment applications. Therefore any piece of software that has been designed to touch credit card data is considered a payment application.

What is a payment gateway?

Payment Gateways connect a merchant to the bank or processor that is acting as the front-end connection to the Card Brands. They are called gateways because they take many inputs from a variety of different applications and route those inputs to the appropriate bank or processor. Gateways communicate with the bank or processor using dial-up connections, Web-based connections or privately held leased lines.

Do I need vulnerability scanning to validate compliance?

If you electronically store cardholder data post authorization or if your processing systems have any internet connectivity, a quarterly scan by a PCI SSC Approved Scanning Vendor (ASV) is required.

How often do I have to scan?

Every 90 days/once per quarter you are required to submit a passing scan. Merchants and service providers should submit compliance documentation (successful scan reports) according to the timetable determined by their acquirer. Scans must be conducted by a PCI SSC Approved Scanning Vendor (ASV). ControlScan is a PCI Approved Scanning Vendor.