For every retailer, Ecommerce operator and online store owner there is one thing that you simply cannot cut corners with – and that is the security of your customers credit card details. Having someone’s credit card details in your hands is as good (or dangerous) as holding their cash. In fact, even more so, because not only are you able to spend their cash, but you can plunge them into debt by spending cash they don’t have.
So, if there is one thing you simply have to do right on your Ecommerce store – it’s credit card data safety.
The Payment Card Industry Data Security Standard (PCI DSS) has been put together by the PCI Standards Security Council for this very reason. The PCI Standards Security Council represents Visa, Mastercard, JCB International, Discover and American Express.
The PCI DSS applies to all merchants who accept payments from these institutions and is intended to safeguard all stored and processed card data – everywhere and anywhere that it is being used, accessed or stored.
It’s important to note that just because you are PCI compliant does not guarantee that hackers will not gain access to your or your customers sensitive data, but it does render you much safer. You should always be vigilant and always keep all of your security measures up to date.
All of which can sound really daunting to those whose task it is to ensure that their Ecommerce website is compliant with the rules and regulations that govern the PCI DSS. But it doesn’t have to be a point of stress to you or your team. We are here to provide a checklist for you to reference and a simple guide on getting your Ecommerce website signed off as safe and secure.
Levels of Compliance
Not all companies operate on the same level, and as such there are varying degrees or levels of compliance that are required by you, the merchant.
Level 1 and Level 2 are for merchants who process one million transactions per year or more.
Level 3 is for merchants who process 20 000 or more transactions per year.
Level 4 is for those merchants who process fewer than 20 000 transactions in a financial year.
We are going to assume for the purposes of this article, that those merchants in levels 1 and 2 are already employing the services of professionals to help them reach compliance. This article will focus on levels 3 and 4, who are making fewer than one million transactions a year.
What do I need to get my PCI DSS?
You can find a full list of the PCI requirements here.
First: You need to figure out which self-assessment questionnaire (SAQ) your Ecommerce store needs to use to validate your compliance.
You can find a quick chart to these questionnaires here.
Once you have run through the questionnaire, you will need to submit it along with evidence of passing a vulnerability scan (if applicable to you).
PCI DSS Checklist
As a business that makes use of credit card payments, you need to make sure that you comply with each of the following checks every quarter, and do a full, submitted assessment every year:
✓ Make sue that you complete the annual Risk Assessment on the environment where the card data is handled or touches the cardholder environment. This includes the digital environment and everyone who has access to your records, and your systems.
✓ Make sure that any third party who stores, processes or transmits the card data or are in any way connected to the cardholder environment, provide evidence that they have maintained their PCIDSS compliance and are actively registered with the relevant authorities for your region, or with Card Schemes if you are operating internationally.
✓ If you use a third-party payment application on your Ecommerce store, do you ensure the product and the particular version of that application is PCI DSS compliant and that you adhere to the guidelines provided by the supplier?
✓ If you use an external integrator or administrator to apply the products or bring them together, is this person certified to do so according to PCI standards?
✓ Are you sure that any staff who work with your third-party payment applications are trained to do so according to the guidelines provided by the supplier?
✓ Are you only keeping data that is essential to your business and ensuring that it is well encrypted?
✓ Do you have strict controls over who has access to your E-commerce environment?
✓ Do you ensure that all access to the Ecommerce environment is strictly monitored and recorded?
✓ Are you protecting your data network both firewalls AND up-to-date anti-virus software from a reputable company?
✓ Have you ensured that your shopping cart is patched with the most up-to-date versions available? These updates safeguard against hackers who are continually working to break through the protections set against them.
✓ Are you undertaking network scans on a quarterly basis by an approved scanning vendor (ASV)?
✓ Have you discussed security with your hosting provider? It is essential that they have secured their systems appropriately and that their web and database servers should be hardened to disable default settings and services.
✓ Do you run PED tests annually, and after any significant risk to the environment.
✓ Is software and hardware, and any vendor and associated products, which you use to process transactions approved by the Payment Card Security Standards Council (PCi SSC)?