Tips for Making ECommerce Businesses PCI Compliant



If you run an ecommerce business, you probably already know the importance of keeping your customers’ private information secure. Failure to make their shopping experience safe quickly results in them abandoning your website in favor of your more security-savvy competitors. In 2013, the Payment Card Industry Data Security Standard (PCI DSS) was published in order to help businesses protect consumer data, and it has recently been updated to reflect even more measures to guard against fraud and identity theft. If you deal with customers’ cardholder data including customer name, credit card number, security code and expiration date, you need to know how to protect yourself and your customers from a data breach.

Determine Your Level of Compliance

If you accept payments through online credit card processing, you will need to comply with PCI standards. Depending on how you accept payments, you should do so either by completing a PCI self-assessment questionnaire or by having a qualified compliance assessor do the work for you. The short answer is that if you store, process or transmit your customers’ data on your servers, you must comply with PCI standards.

Check with Your Payment Processing Partner

If you partner with a merchant services provider using an online payment gateway, you may be able to avoid many of the steps lower in this article. Just make sure your partner is providing a solution that ensures your site doesn’t have access to information that falls within the PCI security specifications. For instance, with the right payment solution in place, you never need to store credit card numbers in your system. Instead, you receive tokens that represent card numbers and reference numbers recording sales transactions. This is most often the case if you have set up a hosted pay page with a payment gateway, where actual credit card transactions take place outside your website. The burden for PCI compliance thus falls on the merchant services and/or gateway providers.

However, depending on the size of your ecommerce site and the experience you want to provide your customers, you may set up another solution with your payment processor. Be sure to review your options carefully, and make decisions based on the time and resources you have available to ensure your operation meets PCI compliance requirements.

Shore Up Your Infrastructure

To protect against data breaches, you must first be sure that your systems are secure enough to store customer data. To that end, you are required to have a firewall and an antivirus solution in place, and you cannot use any of the system defaults on your machines. Access to your system, both physical and virtual, must be secure, logged and monitored. If people access your system remotely, the data must also be encrypted.

Be Careful with Your Applications

Any applications you use must be built from the ground up to comply with all of the PCI requirements. The infrastructure on which you host them must also be PCI compliant.

Enhance Your Procedures and Processes

In order to adhere to PCI standards, everyone on your staff should have a clear idea of all aspects of data management. To that end, it is essential that you draw up clear policies that address subjects such as working with data, who has access to it, deployment and general handling. To achieve this goal, you must provide training and regular information updates to your staff. Furthermore, your systems need to be routinely monitored and tested. In order to manage access to the data with extreme care, you should use unique IDs with 2-factor authentication. Only grant data access to trained and trusted staff members who absolutely need to have it.

Update Your SSL/TLS Certification

PCI compliance dictates that you use the most current Transport Layer Security (TLS). Certificates. Older versions have been found to have numerous security holes and vulnerabilities that can leave you open to hacking and fraud. Also, you must encrypt all cardholder data that is sent through open or public networks or stored on your system.

Complying with all of these standards can appear arduous and overwhelming. If you don’t have the time or resources to ensure compliance, check with your payment processing company or another professional to discuss your options. The bottom line is that PCI compliance standards are designed to both protect customers and safeguard your business, saving you from potential disaster.