If you have opened or started an online store at some point, the question of security should be at the forefront of your mind. A level of protection you should strive for is PCI Compliance. In a nutshell, PCI Compliance (PCI DSS) refers to the security standards designed to protect all sensitive payment information in a secure environment. By that definition, is your store PCI compliant?
Today, my goal is to help you understand and clarify those core standards to determine if you are PCI compliant. Or what steps you need to take to become PCI compliant.
WooCommerce provided an excellent source of documentation, so I will use this as a reference to help. Here is the link: https://docs.woocommerce.com/document/pci-dss-compliance-and-woocommerce/.
What is PCI DSS?
PCI DSS stands for Payment Card Industry Data Security Standard. It is a set of rules created by the PCI Security Council to set the standard for consistent data security to reduce credit card fraud. These apply to anyone that is processing, storing, or transmitting credit card payments on their website.
How Can I Determine If I Am PCI Compliant?
The image above shows the list of the 12 core requirements. To help clarify much of this information, I will give you some easy to understand explanations below of each:
- Build and Maintain a Secure Network: The best way to satisfy this requirement is to have a firewall added to your hosting. Most major hosts such as InMotion Hosting, Flywheel, and WP Engine have these features built-in. When selecting a hosting company, make sure they offer this as part of their security, or I’d suggest switching host. Also, a part of this standard is forcing strong passwords. Don’t use the default passwords such as “admin” for ANYTHING. Passwords need to be strong, and rules need to be in place to enforce this. For example, strong passwords need to be enforced when admins create new users and when a user creates their own account.
- Protect Card Holder Data: Your website should protect cardholder data by not storing card data and use tokens. Or, if they do store data, it must be encrypted, and the website must use an SSL certificate. Again, the SSL feature should be included as part of your hosting. If you are unsure of what SSL means or how to implement it, I suggest you check out my article SSL: What and Why. Another way, and sites using WooCommerce do this, is to utilize a Payment Gateway. PayPal is the best example of this. When a visitor checks out, it redirects them to PayPal to finish checking out. They are responsible for processing payments.
- Maintain a Vulnerability Management Program: This refers to having a hosting provider use virus protection and security monitoring. It also includes maintaining the software of your website. Vendors consistently update their software for security reasons, so it doesn’t fall victim to hackers. You should either have a Developer on staff or hire a Consultant that can help you with this.
- Implement Strong Access Control Measures: This piggybacks on the Protect Card Holder data requirement but goes deeper into physical server access and website access. This falls on your hosting. They should have a secured access plan for their physical servers. It shouldn’t be easy to gain access to the area where these servers are stored. There should be a logging system for each person who accesses the server/systems to track their movements. Also, your website should, again, force using solid passwords, and not everyone needs admin access to your website. Do the correct people have the right level of access? They should. In this case, your site should have Admin vs. Customer vs. Shop Manager roles, etc., to ensure the right people have the right access.
- Regularly Monitor and Test Networks: This falls on the responsibility of your hosting provider. Your host should monitor sites closely for traffic. If any bugs or unusual things happen, they report them or have some logs of this activity. Your hosting should also regularly test and scan websites for unusual activity. These can be completed in different ways, such as malware scanning, DDoS prevention, or using an Approve Vendor company (called an ASV) that has an industry approve scanner. Many hosting providers have this in place with the virus protection & security monitoring mentioned above. While PCI Security Standards provides a list, many major hosting providers use customized versions, which works just as well.
- Maintain an Information Security Policy – This has to do with the security policy of your store. This is usually added in with your Privacy Policy if you are the payment processor. Still, I would add this in with your own store’s policy to protect yourself.
PCI Compliance is an industry-standard of security for online shopping. It ensures peace of mind for your customers and also protects you from security breaches.
Have any other questions, drop me a line, and I’ll be glad to help.
All the best!
