What is a PCI-compliant website, and does yours need to be?

I’ve recently been asked ‘does my website need to be PCI compliant?’. I thought if one person was unsure about this it is likely that many others have the same question. In this article, we will cover; What is PCI compliance, why is PCI compliance important, and then finally, how do you make your website follow the PCI compliance requirements?

What Is PCI compliance?

The levels are as follows:

  1. Transactions exceed 6 million for MasterCard, Visa, or Discover; 2.5 million for American Express; or 1 million for JCB
  2. Transactions are between 1 and 6 million for MasterCard, Visa, or Discover; between 50,000 and 2.5 million for American Express; or anything under 1 million for JCB
  3. Transactions are between 20,000 and 1 million for MasterCard (specifically eCommerce transactions), Visa, or Discover; or anything under 50,000 for American Express
  4. Transactions are below 20,000 for MasterCard, Visa, or Discover

Why is being PCI compliant important?

Being PCI compliant ensures that credit card transactions are secure for both the merchant and the cardholder. It aids in the prevention of security breaches and identity theft. Consumers are finding it easier to make many of their regular purchases online as technology advances. If you’re not PCI compliant, you risk losing the ability to accept online credit card payments, which may cost you a lot of money.

READ:  Independently-hosted web publishing - Internet Policy Review

How do I make my website PCI compliant

If you run an e-commerce website that takes online payments or donations, your website should be PCI compliant.

PCI DSS v3.2.1, which was issued in May 2018, is the most recent version.

Multiple sub-requirements and hundreds of actions make up the requirements. At first glance, meeting all requirements may appear to be tough for a small website owner.

However, we will outline each PCI compliance requirement in practical terms:

1. Build and Maintain a Secure Network

Install and maintain a firewall, and test the systems and processes.

2. Do Not Use Vendor-Supplied Defaults

Don’t use vendor-supplied passwords and restrict cardholder data to authorized personnel.

Making a strong password is easy, use a secure password generator such as this one. Secondly, if you need to exchange passwords within your company, keep them in a secure location, such as team password.

3. Protect Cardholder Data

Keep cardholder data in a secure, password-protected location.

4. Encrypt Transmission of Cardholder Data

SSL/TLS is a security and encryption protocol that secures and encrypts sensitive data as it travels between two systems. The website can be visited through HTTPS rather than HTTP when an SSL certificate is used.

For PCI compliance, a website that takes payments must use TLS v1.1 or higher.

Encrypting critical data, such as credit card numbers, cardholder information, and passwords, protects your consumers and avoids fraud and data breaches.

5. Maintain a Vulnerability Management Program

Install antivirus software on all systems that are regularly infected with harmful software (especially personal computers and servers). Keep all software up-to-date to prevent vulnerabilities.

READ:  The Trend Continues: Washington State Legislators May Propose Digital Advertising Tax

Ensure that antiviral measures are active and that users cannot disable or alter them unless management has given permission on a by-case basis for a short time span.

With various website security tools, you can mitigate malware threats on the site and on the server. You’ll also need to guard against attack vectors that aren’t confined to the site directory, such as SSH and FTP access. Elite’s website security plans are proudly powered by Sucuri, a world leader in online security.

6. Develop and Maintain Secure Systems and Applications

Whether you’re just getting started and have a small website with minimal traffic, It doesn’t matter. If your website has a susceptible CMS, extension, plugin, or theme, a malicious bot will most certainly identify it at some point in the future.

Not only are you reducing the chance of automated assaults, but you’re also assuring the PCI compliance requirements are being met, by keeping your website software and system components patched and up to date.

7. Restrict Access to Cardholder Data by Business Need to Know

You should not hand out cardholder data lightly. Restrict access to authorized persons only.

8. Track and Monitor All Access to Network Resources and Cardholder Data

You should have a log of who can access your card holder’s data and when they access it.

9. Maintain an Information Security Policy

Put in place an information security policy. You must review the security policy annually, at least. and include a risk assessment process, incident response plan, and usage policy.

Final Thoughts on PCI DSS compliance

Your objective should be to give a memorable experience that adds value to your clients every time they visit your website. While the PCI compliance requirements may not be directly related to your business, A users’ compromised credit card information as a result of their visit to your website, can leave a lasting poor impression of your company.

READ:  How to Choose Resources for Your Web Hosting Plan

On top of those great additions, our WooCommerce hosting comes with $6000 worth of free essential plugins listed below:

Cart and checkout extensions

  • Amazon S3 Storage
  • Cart Add-ons
  • Cart Notices
  • Checkout Field Editor
  • Force Sells
  • Min/Max Quantities
  • WooCommerce Checkout Add-Ons
  • WooCommerce Purchase Order Gateway
  • WooCommerce Social Login

Marketing extensions

  • Advanced Notifications
  • AutomateWoo
  • Follow-Ups
  • Mailchimp for WooCommerce Memberships
  • PDF Product Vouchers
  • Product Add-Ons
  • Product Enquiry Form
  • Product Vendors
  • URL Coupons
  • WooCommerce Email Customizer
  • WooCommerce Points and Rewards
  • WooCommerce Product Reviews Pro
  • WooCommerce Store Catalog PDF Download

Merchandising extensions

  • Nested Category Layout
  • WooCommerce 360º Image
  • WooCommerce Additional Variation Images
  • WooCommerce Brands
  • WooCommerce Products Compare
  • WooCommerce Quick View

Payment extensions

  • Authorize.Net
  • Bambora
  • Chase Paymentech
  • CyberSource
  • Elavon Converge
  • Global Payments
  • Intuit Payments
  • Moneris
  • WooCommerce Deposits

Product extensions

  • Product Documents
  • Software Add-on
  • WooCommerce Photography
  • WooCommerce Tab Manager

Services extensions

  • Accommodation Bookings
  • Teams for WooCommerce Memberships
  • WooCommerce Bookings
  • WooCommerce Bookings Availability
  • WooCommerce Box Office
  • WooCommerce Memberships
  • WooCommerce Subscription Downloads
  • WooCommerce Subscriptions

Shipping extensions

  • Australia Post Shipping Method
  • Bulk Stock Management
  • Canada Post Shipping Method
  • FedEx Shipping Method
  • Local Pickup Plus
  • Postcode/Address Validation
  • Returns and Warranty Requests
  • Royal Mail
  • Shipment Tracking
  • Shipping Multiple Addresses
  • Table Rate Shipping
  • UPS Shipping Method
  • USPS Shipping Method
  • WooCommerce Order Barcodes
  • WooCommerce Print Invoices/Packing Lists

Store management extensions

  • Admin Custom Order Fields
  • Cost of Goods
  • Customer/Order/Coupon CSV Import Suite
  • Product CSV Import Suite
  • Sequential Order Numbers Pro
  • Twilio SMS Notifications
  • WooCommerce Customer/Order/Coupon Export
  • WooCommerce Google Analytics Pro
  • WooCommerce Order Status Control
  • WooCommerce Order Status Manager
  • WooCommerce Pre-Orders
  • Xero