PCI compliance is required for every eCommerce shop owner that accepts credit cards or debit payments on their website. Not to mention, it’s recommended for those using offsite payment gateways such as PayPal as an added layer of security and a way to build trust amongst consumers.
Anytime a customer purchases something from your eCommerce shop, sensitive personal and financial information is passed from their browser to your website, especially when using their credit or debit card. Protecting this data from is not only a smart business move, it’s mandatory.
That’s why today we’re going to take a look at what it takes to make your eCommerce store PCI compliant so you can prevent data breaches on your website.
What is PCI Compliance?
Though typically called PCI compliance, the official term is Payment Card Industry Data Security Standard (PCI DDS). Founded in 2006 by five major credit card companies – Visa, MasterCard, American Express, Discover, and JCB – this set of standards were designed to apply to any organization that stores, processes, or transmits credit cards.
It was also a way to unify the standards (since all credit companies had their own rules when it came to credit card security) to ensure all merchants met minimum levels of security while storing, processing, and transmitting credit card data.
PCI compliance guidelines fall under the following six areas:
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
As of now, PCI compliance is not required in the United States. Though some states have enacted their own legislation regarding compliance, such as Nevada and Washington, there are currently no federal laws enforcing PCI compliance.
That said, all major credit card companies do require PCI compliance once your business scales to a certain size. And, if you fail to maintain compliance, you face severe monetary penalties. Not to mention, you risk losing business as your customers become aware that you aren’t protecting their data.
PCI Compliance Levels
If you run an eCommerce shop, you’ll need to know which level of PCI compliance you fall under to make sure your online store is fully compliant. This is done by measuring the number of transactions your shop processes with all the major credit card companies.
Here are the four levels of PCI compliance:
- Level 1: Merchants processing over 6 million card transactions per year
- Level 2: Merchants processing 1 to 6 million transactions per year
- Level 3: Merchants handling 20,000 to 1 million transactions per year
- Level 4: Merchants handling fewer than 20,000 transactions per year
The problem is, despite the above standard 4 levels of compliance, all credit card companies (including the five major ones) have their own set of compliance levels, making it hard for business owners to figure out which rules to follow in order to be compliant.
For your reference, check out the following PCI compliance rules and regulations for the five major credit cards:
Note that Visa, MasterCard, and Discover all follow the same 4 level guidelines, while American Express and JCB have their own levels.
The Importance of PCI Compliance
You may be thinking to yourself that your small business doesn’t have to worry about PCI compliance or data security.
After all, hackers tend to go after big name brands right?
If you follow this line of thinking, you are both right and wrong:
- According to the National Cyber Security Alliance, nearly half of all small businesses have fallen victim to a cyberattack, with 71% of security breaches targeting small businesses. Adding to that, they revealed that Visa Inc. reported that 95% of all credit card breaches reported are from small business owners.
- Verizon’s PCI Compliance Report shows that not only do security incidents seem to grow every year at an alarming rate of 66%, four out of five companies fail to maintain the security protocols they have in place due to lack of testing, regardless of the size of the organization.
- The financial loss experienced by Target’s credit card data breach reached an alarming $162 million, according to TechCrunch in the Smart Card Alliance white paper about the true cost of data breaches.
As you can see, data breaches can wreak havoc on both small businesses and large corporations (which are expected to have the highest security measures in place).
Unfortunately, since most newsworthy data breaches are about big name brands, 82% of small to medium enterprises (SMEs) believe that since big name brands are the “only” ones being targeted, they have nothing to worry about. Adding to that, they feel that they have nothing worth stealing, and thus have no reason to enforce strict security protocols, including PCI compliance.
However, this is far from the truth and something all online shop owners should take seriously starting right now.
How to Become PCI Compliant
Securing your eCommerce shop from data breaches, and becoming fully compliant with PCI standards can be a tricky situation. However, we are going to break down the major steps you should take to secure your customers’ data.
- Step 1: As mentioned above, there are levels of compliance that each organization falls under. Figuring out your shop’s level is the first step in becoming PCI compliant.
- Step 2: Build and maintain a secure network by enlisting the help of an IT professional to install operation firewalls that are up-to-date and change passwords throughout the organization.
- Step 3: Protect cardholder data by maintaining secure records of all transactions. If you save cardholder information in your system, ensure it’s encrypted and protected by firewalls.
- Step 4: Maintain a vulnerability management program by installing appropriate anti-virus software. In addition, put policies in place that prohibit the installation of unapproved software.
- Step 5: Implement strong access control measures by creating user permission rules and securing physical records from those not permitted to access them.
- Step 6: Regularly monitor and test networks by routinely scanning, testing, and tracking the flow of data through your system to ensure it’s secure. Test it during periods of low activity and in real time to make sure everything runs the way it should. Keep logs of all test results so you can monitor your organization’s success.
- Step 7: Develop an information Security Policy showing what steps your company has taken to maintain PCI compliance.
For a more detailed look at the steps to becoming PCI compliant, be sure to check out the PCI DSS Self-Assessment Questionnaire (SAQ).
A Little About GDPR Compliance
If you run an eCommerce shop, no matter the size, it’s likely you’ve heard that come May 25, 2018, Europe’s General Data Protection Regulation (GDPR) will come into effect.
But keep in mind, the new GDPR compliance rules don’t only apply to those making purchases. Instead, it applies to any website collecting any personal information from EU citizens, making this a worldwide issue.
This new set of regulations is designed to give people more control over their own personal data and create a more level playing field for businesses of all sizes. In fact, this new set of rules is being put into place because only 15% of people feel they have complete control over the information they provide online.
This alarming statistic shows that there is a lot of distrust amongst users when it comes to how websites collect, store, and use their personal and financial information.
According to the GDPR for WordPress site, GDPR says that any website collecting, storing, or using any data related to European citizens must comply with the following:
- Tell the user who you are, why you’re collecting data, for how long you’ll store it, and who will receive it
- Receive a clear consent from the user, before collecting any data
- Allow users to access their data at any time and take it with them if they want
- Allow users to delete their data at any time
- Inform all users if a data breach occurs
In addition, you must follow certain rules if you participate in any type of profiling when it comes to legally-binding agreements, give people a right to opt out of direct marketing that uses their data, and collect information regarding health, race, sexual orientation, religion, or political beliefs (including the implementation of extra safeguards to protect such sensitive data).
Please keep in mind that we are in no way experts when it comes to GDPR compliance. This is a new and complex concept that has yet to be enforced, and truthfully there is a lot of conflicting information out there regarding the actual regulations.
If you are looking for information regarding GDPR compliance, check out these helpful resources:
- CodeinWP’s Complete WordPress GDPR Guide
- Willows Consulting’s GDPR for eCommerce
- WP GDPR Compliance plugin for WordPress
- PCMag’s GDPR: What Americans Need to Know
- CSO’s 6 Steps for GDPR Compliance
And if you are ever not sure about whether your website is either PCI or GDPR compliant, it’s important to consult legal professionals to avoid hefty monetary penalties.
And there you have it! Everything you need to know about protecting your customers’ data while selling to them through your eCommerce shop. If you find yourself needing help with securing your website’s data, get in touch with us and see how we can help.
We take data security seriously and have the right resources in place to help you ensure your customers that protecting their personal and financial information is something you take seriously.