For entrepreneurs delving into eCommerce, the regulatory challenges that must be overcome to take card payments can be quite daunting. For serious business owners that would like to avoid fees charged by third-party processors like PayPal, PCI compliance is a must.
Not being PCI-compliant puts your eCommerce business at risk of hefty fines by the payments industry regulators. Moreover, your brand may be eroded when customers realize your business did not securely handle their private information.
The Payments Card Industry Data Security Standards (PCI DSS) regulates online card payments. Any website that takes credit cards directly is required to be PCI-compliant. The PCI standards comprise 12 requirements. These are:
1. Build and Maintain a Secure Network
- Install and maintain a firewall
- Change the default passwords supplied by vendors for systems and security parameters
2. Protect Your Users’ Credit Card Data
- All users’ card data should be securely stored
- Cardholder data should be securely transmitted or stored across public networks
3. Have an Ongoing Vulnerability Management Program
- All systems should be protected against malware using up-to-date antivirus programs
- All systems and applications developed should be secure and regularly maintained
4. Strong Data Access Measures
- Cardholder data should be restricted to authorized employees of your business
- Implement a way to identify and authenticate parties that access your systems
- Restrict physical access to cardholder data
5. Ensure Network Integrity
- Track and monitor access to all cardholder data and network resources
- Test network security regularly to ensure its integrity
6. Information Security Policy
- Put in place an information security policy
Plan Ahead for PCI Compliance
One of the easiest ways of simplifying PCI compliance is eliminating the need for holding your customers’ credit card data in-house. For example, you can use a third-party payment processor such as Stripe or PayPal, which will take care of storing the data securely.
If you also operate offline, you can use a POS (point-of-sale) processor or a card reader that does not store any cardholder data. However, it is critical to remember that you are responsible for the security of your customers’ data.
Whether you choose to process credit cards directly on your website or through a third-party payment gateway, find out whether you are compliant. For example, even if you decide to accept credit card payments using PayPal, your store should be secure when customers are inputting their details. Therefore, the website should use Secure Socket Layer (SSL) encryption, and your web server must be compliant.
Contact the payment processor you wish to use to find out whether customer data can be securely stored on their systems, especially if you will need the information for future payments, e.g., recurring payments, etc.
Reducing Security Risk
You can significantly reduce your website’s and customers’ security risk by completely outsourcing your payment page to a processor like Stripe. In such a case, the risk will be there if a third-party hacks your website and replaces the payment page link to a fake one that is insecure and from where customer’s credit card data can be exposed.
To reduce such a risk, ensure you are hosting your website on a secure server. Apart from this, the store should be coded with built-in security features.
Below are four critical things you can do to ensure your store is PCI compliant:
1. Choose a Secure Web Host Having a robust host is the primary step to making your website secure. For eCommerce stores, it is critical to ensure the web hosting service and shopping cart applications you use are PCI compliant. The PCI council website has a list of validated payment applications.
You can also check eCommerce forums to find out what other entrepreneurs are using. Generally, you should stay away from cheap shared hosting. These web hosting servers are usually stretched since resources are shared among many customers.
An ideal option would be to host your website on a dedicated server.
2. Choose a DSS-Compliant Shopping Cart There are dozens of shopping carts to choose from, and it can be confusing to know which one will be suitable for your eCommerce store.
When evaluating various shopping carts, you should be thinking of both your customers’ and store’s security. Therefore, the ideal shopping cart to choose would be one that is PA DSS (Payment Application Data Security Standard) compliant. This compliance means that the cart software has been tested for integrity and security to ensure it transmits encrypted data securely.
3. Employees and PCI DSS To keep your cardholder’s data safe, it is important for your staff to understand how vital the security of your eCommerce site is. Staff members that handle cardholder data should be vetted and trained to ensure they follow compliance guidelines.
In particular, the staff should:
- Be aware of the processes to follow to protect private customer data
- Set up secure passwords for all user accounts
- Not store customer data on paper or any unauthorized computers
All infrastructure that handles any aspect of user cardholder data should also be carefully selected and maintained regularly to ensure its integrity. Moreover, all computers, services, and devices in your business network should:
- Be protected from unauthorized access into the network using a firewall
- Be installed with updated antivirus programs that are regularly updated with patches
- Have secure passwords and robust encryption
If your employees use their own devices at work, it’s critical to have a robust BYOD policy that stipulates what kind of data can be accessed and what is required of them. The PCI council offers a number of awareness training courses you should check out.
PCI DSS Levels
Consider the level of compliance your store will require. There are four different compliance levels, which depend on the number of card transactions processed annually.
- Level 1: If your website processes more than 5 million card transactions annually, you will need Level 1 security compliance. The compliance requires an annual onsite security assessment and a quarterly network vulnerability scan.
- Level 2: Stores that process between 1 to 6 million card transactions annually require Level 2 compliance. The compliance requires an optional onsite security assessment. A yearly self-assessment questionnaire and a quarterly network vulnerability scan are also required.
- Level 3: Merchants processing 20,000 to 1 million card transactions annually need Level 3 compliance. This compliance involves submission of a self-assessed questionnaire every year and scanning the network for vulnerability every quarter.
- Level 4: This is the lowest compliance Level and is required for merchants processing less than 20,000 transactions annually. Just like merchants in the Level 3 compliance category, merchants in Level 4 need to submit a self-assessment questionnaire annually and scan their networks for vulnerability every quarter.
Compliance is an Ongoing Process
Making your eCommerce website is PCI compliant is just the beginning. You have to carry out regular audits to ensure integrity of your network and infrastructure. Regular checks should be done to avoid fines and costly audits by the PCI regulator auditors.
To remaining compliant, you should always assess, remediate, and report. Assess. You should carry out an audit of the IT infrastructure and assets that your business uses for card processing. Regular vulnerability testing should be carried out to ensure the infrastructure is up to date and has no flaws that can expose customers’ data to third parties.Remediate. Ideally, you should not store any customer card data unless it is absolutely necessary. For small eCommerce stores, it is easier to be PCI compliant by letting a third-party payment processor store the customer data. Also, check your infrastructure regularly for any known exploits and implement remediation measures, if necessary.Report. You need to provide regular compliance reports to the card brand that you work with. The type of report you will need to provide will depend on the levels of security compliance of your business, as discussed above.
Achieving and maintaining PCI DSS compliance can be quite costly as well time-consuming for merchants. When your website is PCI compliant, consumers will be more confident to input their credit card data when purchasing whatever you are offering.
Customers also trust that you will store, transmit, and process their data in a secure way during and after the transaction. The PCI DSS compliance program is a critical component of the eCommerce industry as it contributes to the security of users transacting online.
A lot of planning and groundwork needs to be done when you want to start accepting credit cards in your business, more so if you will be storing the data in-house. For most businesses, working with third-party payment provider makes sense rather than going through the hassle of setting up the necessary infrastructure required for total PCI compliance.
Failing to protect the customer data on your website adequately can be costly to your business brand and bottom line.
Need help keeping your business compliant? There are a number of software solutions such as ZenGRN by Reciprocity to help with PCI compliancy. This is a great way to save your business valuable time and money.
Ken Lynch is an enterprise software startup veteran, who has always been fascinated about what drives workers to work and how to make work more engaging. Ken founded Reciprocity to pursue just that. He has propelled Reciprocity's success with this mission-based goal of engaging employees with the governance, risk, and compliance goals of their company in order to create more socially minded corporate citizens. Ken earned his BS in Computer Science and Electrical Engineering from MIT.