Recently, we had a client ask us if their website needed to be PCI compliant. It made us think that if one client had this question, others might as well. In this article, we’ll focus on what PCI compliance is, why it’s important, and how to make a website PCI compliant (if it needs to be).
What Is PCI Compliance?
The Payment Card Industry Data Security Standard (PCI DSS) was created to increase security around personal card holder information to protect consumer data and prevent breeches. PCI compliance applies to all organizations that accept credit card payments and each organization falls under one of four levels of compliance. Each level is based off of total transaction volume on a yearly basis.
The 4 levels of compliance are based on card transactions that merchants process per year.
Level 1: over 6 million
Level 2: 1 to 6 million
Level 3: 20,000 to 1 million
Level 4: less than 20,000
This standard is the information security measurement by which organizations who handle branded credit cards from the major card schemes are measured.
What are the costs associated with PCI compliance?
In order to receive a compliance certification, there is a fee that is based off the organization’s size and ranges from $1,000 to $50,000 per year. You may think that cost is a little steep, but noncompliance could be steeper. Noncompliance could make an organization susceptible to data breeches, costs of replacing credit cards, hefty fines, etc.
Why is PCI compliance important?
PCI compliance creates security around credit card handling for both the merchant and the card holder. It helps prevent security breeches as well as identity theft. With the advancements of technology, consumers are finding it easier to make a lot of their regular purchase online. If you’re not PCI compliant, you could miss out on a large amount of sales by losing the privilege to accept online credit card payments.
How to make a website PCI compliant
If your website is taking money or receiving donations of any kind via credit card then, YES, you should be PCI Compliant.
Here are some easy steps you can take to ensure you’re being compliant.
- Install and maintain a firewall configuration and test systems and processes: Here at Yoko Co, most of the clients who host their site through us use WP Engine. WP Engine is fully compliant with PCI DSS v3.2. WP Engine offers advanced security that includes malware & virus scanning behind a strict firewall. While WP Engine isn’t the only hosting platform that meets these standards, it’s one we’ve grown to know and trust.
- Don’t use vendor supplied password defaults and restrict card holder access to need to know: If you keep your password as “password”, you’re asking to get your secure information stolen. Instead, use a secure password generator to create a password such as this one. Also, if you must share passwords within your organization, consider storing them in a secure location like team password.
- Protect stored card holder data: Any card holder data should be kept in a secure, password protected location.
- Encrypt transmission of cardholder data: This employs an extra layer of security that only allows a source with the correct password to un-encrypt secure data.
- Use and regularly update anti-virus software and develop and maintain secure systems and applications: This requirement can be fulfilled by working with a PCI Compliant hosting provider like WP Engine who regularly scans for viruses.
- Track and monitor all access to network resources and card holder data: You should have a running log of who can access your card holder’s data and when they access it.
- Use a PCI approved e-commerce platform: There are plenty of PCI approved e-commerce platforms out there such as Stripe and Paypal that can integrate with your website and take payments. We encourage you to look into one of these for your payment needs.
- Check where you’re vulnerable: While following these steps will certainly help with PCI Compliance, we also encourage you to use a scanner such as HACKERGUARDIAN to check where you might be vulnerable.
Final Thoughts on PCI compliance
Every time a customer accesses your website, your goal should be to create a memorable experience that provides value for your customers. While PCI compliance may not directly be a part of your business, if your user’s credit card information is compromised as a result of visiting your website, it can create a negative impression of your organization that can be hard to bounce back from.
Need help making your site PCI compliant?
If you need more guidance, reach out to us.
See what we can do for you.