PCI compliance is required for every eCommerce shop owner that accepts credit cards or debit payments on their website. Not to mention, it’s recommended for those using offsite payment gateways such as PayPal as an added layer of security and a way to build trust amongst consumers.
Anytime a customer purchases something from your eCommerce shop, sensitive personal and financial information is passed from their browser to your website, especially when using their credit or debit card. Protecting this data is not only a smart business move, it’s mandatory.
That’s why today we’re going to look at what it takes to make your eCommerce store PCI-compliant so you can prevent data breaches on your website.
What is PCI Compliance?
Though typically called PCI compliance, the official term is Payment Card Industry Data Security Standard (PCI DDS). Founded in 2006 by five major credit card companies – Visa, MasterCard, American Express, Discover, and JCB – these standards were designed to apply to any organization that stores, processes, or transmits credit cards.
It was also a way to unify the standards (since all credit companies had their own rules regarding credit card security) to ensure all merchants met minimum levels of security while storing, processing, and transmitting credit card data.
PCI compliance guidelines fall under the following 6 areas:
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
As of now, PCI compliance is not required in the United States. Though some states have enacted legislation regarding compliance, such as Nevada and Washington, no federal laws currently enforce PCI compliance.
All major credit card companies require PCI compliance once your business scales to a certain size. And, if you fail to maintain compliance, you face severe monetary penalties. You risk losing business as your customers become aware that you aren’t protecting their data.
PCI Compliance Levels
If you run an eCommerce shop, you’ll need to know which level of PCI compliance you fall under to ensure your online store is fully compliant. This is done by measuring the number of transactions your shop processes with all the major credit card companies.
Here are the four levels of PCI compliance:
- Level 1: Merchants processing over 6 million card transactions per year
- Level 2: Merchants processing 1 to 6 million transactions per year
- Level 3: Merchants handling 20,000 to 1 million transactions per year
- Level 4: Merchants handling fewer than 20,000 transactions per year
The problem is that despite the above standard 4 levels of compliance, all credit card companies (including the five major ones) have their own set of compliance levels, making it hard for business owners to figure out which rules to follow to be compliant.
For your reference, check out the following PCI compliance rules and regulations for the five major credit cards:
Note that Visa, MasterCard, and Discover all follow the same 4 level guidelines, while American Express and JCB have their levels.
The Importance of PCI Compliance
Your small business may not have to worry about PCI compliance or data security.
After all, hackers tend to go after big-name brands, right?
If you follow this line of thinking, you are both right and wrong:
- According to the National Cyber Security Alliance, nearly half of all small businesses have fallen victim to a cyberattack, with 71% of security breaches targeting small businesses. They also revealed that Visa Inc. reported that 95% of all credit card breaches reported are from small business owners.
- Verizon’s PCI Compliance Report shows that not only do security incidents seem to grow every year at an alarming rate of 66%, but 4 out of 5 companies fail to maintain the security protocols they have in place due to a lack of testing, regardless of the size of the organization.
- The financial loss experienced by Target’s credit card data breach reached an alarming $162 million, according to TechCrunch in the Smart Card Alliance white paper about the actual cost of data breaches.
As you can see, data breaches can wreak havoc on small businesses and large corporations (expected to have the highest security measures in place).
Unfortunately, since most newsworthy data breaches are about big-name brands, 82% of small to medium enterprises (SMEs) believe that since big-name brands are the “only” ones being targeted, they have nothing to worry about. They also feel they have nothing worth stealing and thus have no reason to enforce strict security protocols, including PCI compliance.
However, this is far from the truth and something all online shop owners should take seriously.
How to Become PCI Compliant
Securing your eCommerce shop from data breaches and becoming fully compliant with PCI standards can be tricky. However, we will discuss the steps you should take to secure your customers’ data.
- Step 1: As mentioned above, each organization falls under different levels of compliance. Figuring out your shop’s level is the first step in becoming PCI compliant.
- Step 2: Build and maintain a secure network by enlisting an IT professional’s help to install up-to-date operation firewalls and change passwords throughout the organization.
- Step 3: Protect cardholder data by maintaining secure records of all transactions. If you save cardholder information in your system, ensure it’s encrypted and protected by firewalls.
- Step 4: Maintain a vulnerability management program by installing appropriate anti-virus software. In addition, policies should be put in place that prohibit the installation of unapproved software.
- Step 5: Implement strong access control measures by creating user permission rules and securing physical records from those not permitted access.
- Step 6: Regularly monitor and test networks by scanning, testing, and tracking the data flow through your system to ensure it’s secure. Test it during periods of low activity and in real-time to ensure everything runs as expected. Keep logs of all test results to monitor your organization’s success.
- Step 7: Develop an Information Security Policy showing your company’s steps to maintain PCI compliance.
For a more detailed look at the steps to becoming PCI compliant, check out the PCI DSS Self-Assessment Questionnaire (SAQ).
A Little About GDPR Compliance
If you run an eCommerce shop, no matter the size, you’ve likely heard that on May 25, 2018, Europe’s General Data Protection Regulation (GDPR) will come into effect.
However, remember that the new GDPR compliance rules don’t apply only to those making purchases. Instead, it applies to any website collecting personal information from EU citizens, making this a worldwide issue.
This new set of regulations is designed to give people more control over their data and create a more level playing field for businesses of all sizes. This new set of rules is being implemented because only 15% of people feel they have complete control over the information they provide online.
This alarming statistic shows a lot of distrust amongst users regarding how websites collect, store, and use their personal and financial information.
According to the GDPR for WordPress sites, GDPR says that any website collecting, storing, or using any data related to European citizens must comply with the following:
- Tell the user who you are, why you’re collecting data, for how long you’ll store it, and who will receive it
- Receive clear consent from the user before collecting any data
- Allow users to access their data at any time and take it with them if they want
- Allow users to delete their data at any time
- Inform all users if a data breach occurs
In addition, you must follow specific rules if you participate in any profiling when it comes to legally binding agreements, give people a right to opt out of direct marketing that uses their data and collects information regarding health, race, sexual orientation, religion, or political beliefs (including the implementation of extra safeguards to protect such sensitive data).
Please keep in mind that we are in no way experts when it comes to GDPR compliance. This new and complex concept has yet to be enforced, and truthfully, there is a lot of conflicting information regarding the actual regulations.
If you are looking for information regarding GDPR compliance, check out these helpful resources:
- CodeinWP’s Complete WordPress GDPR Guide
- Willows Consulting’s GDPR for eCommerce
- WP GDPR Compliance plugin for WordPress
- EUGDPR.org
- PCMag’s GDPR: What Americans Need to Know
- CSO’s 6 Steps for GDPR Compliance
And if you are unsure whether your website is PCI or GDPR-compliant, it’s important to consult legal professionals to avoid hefty monetary penalties.
And there you have it! Everything you need to know about protecting your customers’ data while selling to them through your eCommerce shop. If you need help securing your website’s data, get in touch with us and see how we can help.
We take data security seriously and have the right resources in place to help you ensure your customers that protecting their personal and financial information is something you take seriously.
Leave a Reply