How to Make Sure Your E-commerce Website Is PCI Compliant
As Director of Sales at CodeClouds, I know that getting your head around PCI compliance is important for your business. Here, we’re going to focus on what you can do to make sure your e-commerce website is PCI compliant—and how a web development company like CodeClouds can help you.
What is PCI?
The Payment Card Industry Data Security Standards (PCI DSS or PCI for short) is an industry standard for merchants who process credit card transactions. The PCI standards were created by and agreed upon by major credit card companies (under the PCI Security Standards Council) to ensure that all credit card transactions are secure and safe from data theft (and to protect card issuers from problems caused by this).
Why Do You Have To Be PCI Compliant?
PCI compliance is completely essential for any business dealing with credit card transactions, including eCommerce sites. PCI compliance can help you with:
- Fostering trust in your customers, acquirers and payment brands
- Improving your security in general
- Helping you to be compliant with other standards
- Avoiding lawsuits
- Avoiding fines from card companies
All of these are pretty compelling reasons to make sure your business is PCI compliant. Let’s look at what you need to do to be PCI compliant:
PCI Compliance Reporting Levels And Assessment
How your PCI compliance is assessed depends on your PCI compliance reporting level, which in turn depends on how many card transactions you process yearly (and by what methods):
Meeting PCI compliance at lower levels is relatively easy, as you only need to undergo a quarterly scan by an Authorized Scanning Vendor (such as HackerGuardian), instead of an audit.
However, Level 2-4 businesses have restrictions such as not storing card information, which means they have to use a third party processor like Stripe and Square (which are themselves Level 1 certified). This means that some companies who would not have to otherwise decide to get Level 1 certified so that they can avoid third party processor fees.
What Are The 12 PCI requirements?
However, before being assessed, your first step to PCI compliance is meeting the 12 PCI requirements, though some of them will be more or less relevant to you according to what your reporting level is:
1. Installing and Maintaining a Firewall
Firewalls are a basic line of defense for stopping malware and unauthorized website intrusions, therefore it’s important to have a functioning firewall for PCI compliance.
2. Changing Default Passwords
Many third-party products come with default passwords that anyone on the internet can find. These need to be changed in order to be PCI compliant.
3. Protecting Stored Cardholder Data
If your business stores cardholder data (which only applies to Level 1 certified businesses), then it’s necessary to encrypt your data twice for PCI compliance. This means encrypting cardholder data and then encrypting the key used to encrypt the cardholder data. It’s also essential to scan regularly for unencrypted data.
4. Encrypting Transmissions of Cardholder Data
Transmissions of cardholder data across public spaces and payment processors also need to be encrypted to meet PCI compliance standards.
5. Installing and Maintaining Antivirus and Anti-Malware Software
This is something you should do anyway; it is also important for PCI compliance. For the purpose of PCI, there needs to be anti-virus or anti-malware protecting all of your hardware and software, and this needs to be updated regularly.
6. Creating and Maintaining Secure Systems and Applications
Systems and programs used by a PCI compliant business need to be completely secure and free from vulnerabilities that will allow hackers access. Security updates should be always installed immediately.
7. Restricting Cardholder Data
Cardholder data should be restricted strictly to those who need access (i.e. not your whole business) and those with access should be properly documented.
8. Maintaining Unique IDs and Authentication Systems
Employees who can access cardholder data need their own unique IDs and passwords. This makes the system less vulnerable and helps you track down data breaches.
9. Restricting Physical Access to Cardholder Data
Places where cardholder data can be accessed need to be physically secure, with access restricted to authorized personnel.
10. Monitoring All Access to Cardholder Data
All access to cardholder data needs to be monitored. This includes logging when cardholder data is accessed and documenting who has access to it.
11. Regular Testing of Systems and Processes
Security systems and processes, including those on your website, are to be tested regularly to ensure that they are still PCI compliant. Vulnerabilities need to be discovered and dealt with quickly to prevent breaches.
12. Having a Strong Security Policy
You need to have a written security policy for reference for employees and to prove PCI compliance. All of the security policies and measures described above need to be documented.
How To Stay PCI Compliant
If your website fails its PCI scanning or auditing, then you need to make changes so that you’re compliant. The same applies if your business is growing, and you need to move up PCI compliance levels. This often means hiring a developer to make your website PCI compliant by improving the security of your website.
In conclusion, it’s not impossible to make sure your website is PCI compliant, if you follow good security practices such as the use of firewalls and secure passwords. Remember PCI compliance may seem complicated, but once you’re compliant, it’s easy to stay that way. If you are looking for developers with experience in PCI compliance, I can recommend CodeClouds as a great place to get your PCI security work done.