As Director of Sales at CodeClouds, I know that getting your head around PCI compliance is important for your business. Here, we’re going to focus on what you can do to make sure your e-commerce website is PCI compliant—and how a web development company like CodeClouds can help you.
The Payment Card Industry Data Security Standards (PCI DSS or PCI for short) is an industry standard for merchants who process credit card transactions. The PCI standards were created by and agreed upon by major credit card companies (under the PCI Security Standards Council) to ensure that all credit card transactions are secure and safe from data theft (and to protect card issuers from problems caused by this).
PCI compliance is completely essential for any business dealing with credit card transactions, including eCommerce sites. PCI compliance can help you with:
All of these are pretty compelling reasons to make sure your business is PCI compliant. Let’s look at what you need to do to be PCI compliant:
How your PCI compliance is assessed depends on your PCI compliance reporting level, which in turn depends on how many card transactions you process yearly (and by what methods):
However, Level 2-4 businesses have restrictions such as not storing card information, which means they have to use a third party processor like Stripe and Square (which are themselves Level 1 certified). This means that some companies who would not have to otherwise decide to get Level 1 certified so that they can avoid third party processor fees.
However, before being assessed, your first step to PCI compliance is meeting the 12 PCI requirements, though some of them will be more or less relevant to you according to what your reporting level is:
Firewalls are a basic line of defense for stopping malware and unauthorized website intrusions, therefore it’s important to have a functioning firewall for PCI compliance.
Many third-party products come with default passwords that anyone on the internet can find. These need to be changed in order to be PCI compliant.
If your business stores cardholder data (which only applies to Level 1 certified businesses), then it’s necessary to encrypt your data twice for PCI compliance. This means encrypting cardholder data and then encrypting the key used to encrypt the cardholder data. It’s also essential to scan regularly for unencrypted data.
Transmissions of cardholder data across public spaces and payment processors also need to be encrypted to meet PCI compliance standards.
This is something you should do anyway; it is also important for PCI compliance. For the purpose of PCI, there needs to be anti-virus or anti-malware protecting all of your hardware and software, and this needs to be updated regularly.
Systems and programs used by a PCI compliant business need to be completely secure and free from vulnerabilities that will allow hackers access. Security updates should be always installed immediately.
Cardholder data should be restricted strictly to those who need access (i.e. not your whole business) and those with access should be properly documented.
Employees who can access cardholder data need their own unique IDs and passwords. This makes the system less vulnerable and helps you track down data breaches.
Places where cardholder data can be accessed need to be physically secure, with access restricted to authorized personnel.
All access to cardholder data needs to be monitored. This includes logging when cardholder data is accessed and documenting who has access to it.
Security systems and processes, including those on your website, are to be tested regularly to ensure that they are still PCI compliant. Vulnerabilities need to be discovered and dealt with quickly to prevent breaches.
You need to have a written security policy for reference for employees and to prove PCI compliance. All of the security policies and measures described above need to be documented.
If your website fails its PCI scanning or auditing, then you need to make changes so that you’re compliant. The same applies if your business is growing, and you need to move up PCI compliance levels. This often means hiring a developer to make your website PCI compliant by improving the security of your website.
In conclusion, it’s not impossible to make sure your website is PCI compliant, if you follow good security practices such as the use of firewalls and secure passwords. Remember PCI compliance may seem complicated, but once you’re compliant, it’s easy to stay that way. If you are looking for developers with experience in PCI compliance, I can recommend CodeClouds as a great place to get your PCI security work done.
Thanks for following the Chargeback Gurus blog. Feel free to submit topic suggestions, questions, or requests for advice to: win@chargebackgurus.com