PCI Compliance Checklist for Your Ecommerce Store

Did you know that ecommerce payment fraud led to a loss of $17.5 billion globally in 2020?

Different payment methods incur different amounts of financial losses including wire transfer, card-not-present (CNP), and credit card transactions.

Image Source

The heavy amount of ecommerce payment fraud losses makes you think of how important it is to put effective security measures in place. That’s when PCI compliance comes into the picture.

Learn about PCI compliance goals, requirements, best practices, and tactical methods to combat threats against online stores.

What is PCI Compliance?

The Payment Card Industry Data Security Standard (PCI DSS) was first developed in 2006 by the PCI Security Standards Council.

Major credit card companies including Visa, Mastercard, Discover, and American Express formed the PCI council to define security standards to protect cardholder data and other sensitive customer data.

Ecommerce websites of all sizes need to fulfill PCI DSS requirements to prevent data breaches from affecting banks and customers alike.

If you accept payments via credit cards, Stripe, PayPal, and other payment processors, you are expected to ensure PCI compliance.

Why is PCI Compliance Important for Ecommerce?

PCI compliance protects cardholder data, which includes:

• Customer’s name
• Full primary account number
• The expiration date of the card
• The card’s 3-4 digit security code, also known as CVV (card verification value)
• Sensitive authentication data embedded within the card’s magnetic stripe or EMV chip

PCI compliance is very important for ecommerce businesses because it can help you reduce the risk of credit card fraud, which can otherwise cost millions of dollars.

Adhering to PCI guidelines helps you protect both cardholder and credit card data. Therefore, you should maintain your PCI compliance very seriously to prevent credit card fraud and build customer trust and loyalty.

What are the Different Levels of Compliance?

There are different levels of compliance depending on the number of annual credit card transactions you complete.

• Level 1: Businesses that process over 6 million card transactions per year
• Level 2: Businesses that process 1-6 million card transactions per year
• Level 3: Businesses that process 20K-1 million ecommerce transactions per year
• Level 4: Businesses that process fewer than 20K ecommerce transactions per year or less than 1 million transactions from all sales channels

You should be able to get these details from your point of sale (POS) reports or your ecommerce store analytics.

The PCI compliance standards and security parameters are very high for businesses that process a larger number of payment transactions per year. Even if you don’t make more sales, it is mandatory to comply with PCI DSS as long as you are accepting card payments.

No matter your business size, you need to stay PCI compliant to protect cardholder data and sensitive user data to preserve the trust of your customers.

The Perfect PCI Compliance Checklist for Your Ecommerce Business

Now you know that if your brand accepts credit card payments online, you must be PCI compliant. Let’s take a look at what requirements you need to fulfill to be PCI compliant.

Level 4 businesses have fewer PCI compliance requirements than Level 1 businesses, but the basic points remain the same. You should fulfill the following PCI DSS requirements to keep your customer data and cardholder data safe:

• Ensure that your website is hosted on a secure server.
• Update your website with SSL encryption.
• Make sure your passwords are strong and change them regularly. Do not use vendor-supplied defaults for system passwords and other security parameters.
• Disable any unnecessary default accounts before installing a system on the network.
• Keep all credit card information encrypted at all times.
• Use an efficient antivirus software program on all systems and regularly update all your antivirus programs to protect your data against malware. You should also ensure that antivirus mechanisms are always active.
• You should protect all stored cardholder data. Encrypt any sensitive information stored on laptops, tablets, or other mobile devices.
• Encrypt any cardholder data that is transmitted over open or public networks, such as Bluetooth, CDMA, etc.
• Use firewalls to block access to unauthorized personnel from external networks. You should also create a written document to define the firewall process to follow. It will help you streamline who to give access to and to what data.
• Restrict physical access to the servers where customer data is stored. You can do this by installing video cameras to monitor the entry and exit doors of your physical data centers.
• Get a secure payment gateway to process credit card transactions.
• Create an inventory of all the customer data that is stored on your servers, including passwords and usernames.
• Review all third-party vendors for security risks.
• Verify that you have a written security policy, including a risk assessment.
• Make sure that you train all employees on how to protect customer information.
• Implement an appropriate level of network segmentation to protect cardholder data from exposure outside the secure environment.
• Maintain logs of attempted attacks or breaches and review them regularly with staff members who work in IT, finance, marketing, and other departments responsible for managing sensitive data.
• Assign a unique ID to each person with computer access. Leverage strong access control measures to protect data and increase user accountability. This will help you prevent exposure of cardholder data and sensitive data from those who don’t need that information.
• Develop and maintain secure systems and applications to create a secure card data environment. These include your operating systems, firewalls, routers, databases, and POS terminals.
• Limit access to network resources and cardholder data access.
• Maintain a vulnerability management program.
• Employ security monitoring checks to make sure your files and web pages are not tampered with.
• Regularly test your security systems and processes.
• Address information security throughout your business by creating a policy.

Following these PCI compliant standards defined by the PCI council will help you protect your ecommerce site from security breaches and credit card losses.

How Can BigCommerce Help You with PCI Compliance?

BigCommerce’s servers are PCI DSS 3.0 certified at Level 1.

The Account Data they store is audited annually by a Qualified Security Assessor (QSA), which includes:

• Cardholder data
• Primary account number
• Cardholder name
• The expiration date of the card
• Sensitive authentication data
• Security code or card verification value (CVV)

To reduce exposure of cardholder data, BigCommerce does not store any Account Data. The ecommerce platform also performs ongoing security scans to ensure PCI compliance.

What does this mean for your business?

You can easily ensure PCI DSS compliance for your ecommerce business by building your online store with BigCommerce. It also offers easy-to-use storefront designs, powerful analytics, and advanced ecommerce features to help you sell more.

You may also like to read my comprehensive Bigcommerce review.

What is the Cost of Non-Compliance with PCI DSS Security Standards?

Non-compliance can lead to hefty fines and sometimes suspensions from major credit card brands. Your merchant account can be revoked or you could not be able to accept payments from certain kinds of cards if you are not PCI compliant.

However, that’s not the only loss. A single data breach or credit card fraud can lead to heavy financial losses. Moreover, it will harm your brand’s reputation drastically.

Therefore, ensuring PCI compliance is crucial to protecting your customer data and retaining your customers.

FAQs

1. What is PCI compliance in ecommerce?

PCI compliance refers to the Payment Card Industry Data Security Standard (PCI DSS).

It was created by major credit card companies such as Visa, Mastercard, American Express, and Discover as a way to ensure that every merchant who accepts credit cards follows specific security guidelines.

The intent of these guidelines is to protect customers' personal information from data breaches such as hacking attacks or other cyber threats.

Any ecommerce business that processes payments through credit cards should be PCI compliant to ensure security.

2. Does your website need to be PCI compliant?

If you sell products online and accept payments through credit cards and other payment processors, your website needs to be PCI compliant.

Websites with a larger number of sales transactions need to follow more rigorous rules to achieve PCI compliance. But regardless of the size of your business, it is mandatory to fulfill PCI DSS compliance requirements if you accept payments through your website.

3. What is the PCI compliance checklist?

Here is the PCI compliance checklist that every ecommerce business must follow:

Ensure that your website is hosted on a secure server and install an SSL certificate.

• Use strong passwords and change them regularly.
• Keep all credit card information encrypted at all times.
• Regularly update antivirus programs and keep them active on all systems.
• Use firewalls to restrict access to users from external networks.
• Protect data stored in physical locations such as a data center by installing monitoring systems.
• Get a secure payment gateway to process credit card transactions.
• Review all third-party vendors for security risks.
• Assign a unique ID to each person so that you can authenticate access to specific data locations to increase user accountability.
• Develop and maintain secure systems and applications such as operating systems, firewalls, routers, databases, and POS terminals.
• Regularly test your security systems and processes.
• Address information security throughout your business by creating a policy.

You can find more PCI DSS compliance requirements in detail in the sections above.

4. Is BigCommerce PCI compliant?

Yes, BigCommerce is a PCI DSS 3.0 certified server provider, which can help you ensure PCI compliance for your ecommerce business.

5. How do I ensure PCI compliance?

To ensure PCI compliance, you need to keep your systems, networks, and databases safe and guarded at all times. Just follow the checklist mentioned above to get it done the right way.

An easier way to stay PCI compliant is to build your ecommerce website using a PCI-compliant ecommerce platform such as BigCommerce.

Check out other ecommerce platforms here.

Get Started with PCI Compliance

Want to check if your ecommerce business is PCI compliant?

You can address a self-assessment questionnaire every year to test the credibility of your security processes and see if you are PCI compliant. You will also need to assess the size of your ecommerce business and the volume of credit card payments you process every year.

Ask yourself the following questions:

• Is your network secure?
• Are your systems password protected?
• Is your antivirus and malware protection up to date?

If not, make sure you get these done to upgrade the transactional and data security on your ecommerce site.

You can also submit your PCI DSS compliance reports to the bank or card brands with which you do business. They can give you additional guidelines to adhere to PCI compliance standards and prevent financial and reputation losses.

Do you have other questions about achieving PCI compliance or running an ecommerce business? Feel free to reach out to my team of experts today.