Shift4Shop eCommerce Blog

How to Make Your eCommerce Website PCI-Compliant

Written by Shift4Shop | Jun 3, 2010 1:52:26 PM

What should your priorities be when setting up your online store? Ideally, you should give yourself the time and use the resources necessary to make sure that every aspect is optimized to near-perfection. With that said, some aspects are more valuable and deserving of your attention than others. If you do not get them right, nothing else you do with your store will matter.

One significant factor that every eCommerce store, no matter the size or structure or market, should focus on is security. You need to make sure that your visitors, especially those visiting for the first time, can trust your website to keep their information safe. That means more than just implementing top-notch security measures across the board. It also means assuring them that you are doing everything you can for them.

Accomplishing both of these tasks may require some effort, time, and money. The rewards will more than make up for it, but only if you do them right. One excellent way to know and show that you succeeded is receiving validation from the Payment Card Industry (PCI) Security Standards Council (SSC). Here is some information about why complying with these criteria is desirable, as well as how to receive recognition from the body.

 

What is the PCI DSS?

By 2006, more and more people began conducting more and more of their shopping on the internet. At the same time, new innovations in software technology meant that more people than ever before could start their own online businesses. Unfortunately, the digital frontier had its own bandits to prey on the settlers. These users were willing to commit fraud, steal sensitive data, and exploit it to their own ends.

Many involved in online commerce began to recognize the importance of protecting both merchants and customer from hackers and scammers. This included leadership at MasterCard Worldwide, American Express, Visa Inc., Discover Financial Services, and JCB International. These are the top five credit card companies in the world, and their transaction services were both vital to eCommerce. They stood to make serious profits from online shopping, but they also stood to lose much when used on websites with insufficient security.

To that end, they united to found an organization through which they could create and enforce strict standards defining what constitutes high-quality security. Their mission: “to enhance global payment account data security by developing standards and supporting services that drive education, awareness, and effective implementation by stakeholders.”

The PCI SSC and their third-party Qualified Security Assessors (QSAs) now work to determine if an eCommerce website is sufficiently protected based on those standards. Those that completely comply with PCI Security Standards receive certification, which they can then mention on their website (and, if they are wise, promotional materials). Ultimately, this would fulfill the related goals of driving away bad actors, encourage the most cautious users to trust online stores, and make eCommerce safer.

 

Why is PCI Compliance Important?

Passing the rigorous standards of the PCI SSC is not easy, nor is it inexpensive. Companies may spend thousands of dollars on new technology and practices in their pursuit of certification. Some businesses may believe that PCI compliance is not necessary or worthwhile enough for all that effort and all those expenses. It may seem especially excessive if they already utilize an SSL certificate, which in their eyes may be “just enough” to attract and protect customers.

Despite this, online businesses really should do everything in their power to ensure that transactions are as secure as possible. The threats of identity theft and data theft did not vanish after 2006 — they remain as real and dangerous as ever before. eCommerce stores are constant targets from these malevolent users, especially the ones they believe to be vulnerable and lacking in security.

Internet users are all too aware of this issue. As a result, many tend to stick with the few stores they already know — typically established brands that already receive millions of visitors. Those who do venture into unfamiliar websites tend to do so with one eye on the X button. If they detect the slightest sign that they may not be safe on a website, they will bolt like rabbits, never to return.

This is why ensuring that visitors know about your security measures is just as important as having them at all. They comfort the uncomfortable, assuring them that they can trust your website with extremely personal data like home addresses and credit card information. If everything else about your store is great, then people will come to you. If security is the one thing that is less than great, then they will not stay long enough to find out what happens.

Plus, in the event that a breach does occur, you may be held liable for not doing enough to prevent it. A great way to prove that you were making an effort is showing certification with high security standards like those of the PCI SSC. You may be required to pay less in fees. Hopefully, though, reaching that level of security would prevent a breach from happening in the first place.

 

The Six Goals for Achieving PCI Compliance

The PCI Security Standards are so intensive and inflexible that even simply getting started with the required steps may seem intimidating. When faced with a large project, it often helps to break it down into smaller pieces. Thankfully, the PCI SSC already did this, creating a list of six goals that can help you achieve the main goal. Here are the goals, along with the organization’s requirements for meeting them. Please note that each requirement has its own set of criteria, which the QSAs will evaluate item by item.

Build and Maintain a Secure Network and Systems

If you want to plug any holes in your website’s transaction services and information databases, you need to start from the foundation. The first requirement is to “install and maintain a firewall configuration to protect cardholder data.” Setting up a firewall is crucial because it lets you set criteria for any traffic trying to enter the website. Any transmission that fails to match the specifications gets blocked. Firewalls should cover every network and system you use.

The second requirement advises that you “do not use vendor-supplied defaults for system passwords and other security managers.” Some software you use may come with default administration settings. These settings, including passwords, are the first options that hackers will use to gain entry to the inner workings of your website. Make things harder for them by personalizing the settings.

Protect Cardholder Data

You have to be able to “protect stored cardholder data,” the third requirement for PCI compliance, if you want customers to trust you with it. Make sure that sensitive information is encrypted during transactions — meaning, that your security software disguises the data in code, then decodes it once it reaches the intended destination. Anyone who intercepts the data midstream will only find gibberish that cannot be deciphered without the keys. That meets the fourth requirement: “encrypt transmission of cardholder data across open, public networks.”

You may not even want to keep cardholder data within your store because of the security risk. However, regular customers may prefer creating accounts and saving their settings over inputting that information every time they buy something. In these cases, the data should always be encrypted unless your website needs to read it.

Maintain a Vulnerability Management Program

Hackers have many different ways of exploiting vulnerabilities and worming their way into your website’s private corners. One method is the use of viruses and other software that can penetrate the network and help them gather data. “Using and regularly updating anti-virus software,” the fifth requirement, should help your system identify and eliminate such threats.

The sixth requirement is to “develop and maintain secure systems and application.” Many software companies release updates for their products as a way of fixing old problems and responding to new challenges. These updates often include patches and other improvements for their security measures. If you stay up-to-date with them, then you stand a better chance of staying up-to-date with the latest threats.

Implement Strong Access Control Measures

This goal actually has three requirements, with the first one (the seventh overall) demanding that you “restrict access to cardholder data by business need-to-know.” This one should be common sense. Why would you allow just anyone to see their data? Even trusted employees should only have the authorization to see or work with it when absolutely required for a specific task.

To fulfill the eighth requirement on this list, you need to “assign a unique ID to each person with computer access.” This requirement allows you to see who has been performing what activity at any time on the system. More precisely, it allows you to see if anyone with access has been doing anything without authorization, or if any unauthorized users have been present.

The ninth requirement, and the last for this goal, is to “restrict physical access to cardholder data.” Sometimes, merchants focus so much on online activity that they fail to consider the possibility of more hands-on methods of data theft. If there is any way that someone can manipulate physical data storage devices or tools, then they should be secured as well.

Regularly Monitor and Test Networks

If you “track and monitor all access to network resources and cardholder data,” then you might meet the tenth requirement. You just have to make sure that any logs designed to record user activity are thorough and active. If anything goes wrong on the system, that information may help you pinpoint the vulnerabilities and the users who exploited them.

In fact, you may want to get ahead of any malevolent hackers and look for those vulnerabilities yourself. The eleventh requirement is to “regularly test security systems and processes.” You could hire reputable third-parties to challenge your security systems and see if and how they could be improved.

Maintain an Information Security Policy

The twelfth and final requirement takes everything you have done and puts it down in the company rulebook. To achieve PCI compliance, you need to “maintain a policy that addresses information security for all personnel.” That means codifying an overall security policy and usage policies for relevant technologies. That means regularly assessing risks and reviewing safety measures. Moreover, that means making sure that employees know what they are doing, especially those specifically tasked with security-related responsibilities.

 

How to Make Your Website Compliant

The requirements for making your eCommerce website PCI-compliant seem clear enough. However, knowing where to actually begin and how to proceed with meeting the PCI SSC’s standards is another question altogether. Plus, reaching PCI compliance does not mean your business is permanently certified. You will have yearly and quarterly requirements for maintaining this coveted status. Here is some information on how to become and remain compliant the right way.

Step 1: Understand the Compliance Levels

The quintet of credit card companies that comprise the council subject different merchants to different yearly and quarterly requirements based on their “compliance level.” Your business will fit into one of four different levels based on the annual number of transactions your business receives from each card. The levels are as follows:

  • Level 1: Transactions exceed 6 million for MasterCard, Visa, or Discover; 2.5 million for American Express; or 1 million for JCB
  • Level 2: Transactions are between 1 and 6 million for MasterCard, Visa, or Discover; between 50,000 and 2.5 million for American Express; or anything under 1 million for JCB
  • Level 3: Transactions are between 20,000 and 1 million for MasterCard (specifically eCommerce transactions), Visa, or Discover; or anything under 50,000 for American Express
  • Level 4: Transactions are below 20,000 for MasterCard, Visa, or Discover

Your level depends on which cards you accept. This means that if you only have MasterCard, then you only need to worry about MasterCard’s requirements. The highest level you reach with one brand immediately becomes your level for the other brands as well. For example, if your business only gets 50,000 transactions with MasterCard but sees 1.5 million transactions with JCB, it reaches Level 2 across the board.

Step 2: Root Out Weak Spots with Approved Scanning Vendors

The PCI SSC will be happy to see your completed documents, but they will not take your word for it that you are in compliance. You need to obtain the services of a third-party company approved by the SSC to check for PCI compliance. These companies are known as Approved Scanning Vendors (ASVs).

The job of an ASV is to conduct data security scanning and see whether businesses like yours have taken measures to meet the PCI standard. If your systems have any holes or fail to meet any requirements, they will tell you. Use this constructive criticism to strengthen your security and try again.

Step 3: Fill Out the Documents

Of course, you can only truly reach a compliance level if you fulfill the requirements — the number of transactions only gets you through the door. For starters, every level requires an Attestation of Compliance (AOC) form, showing that you are meeting the Data Security Standard.

Moreover, when you qualify for Level 2 or below for any of these brands, you need to complete several documents collectively known as the PCI DSS Self-Assessment Questionnaire (SAQ). Specifically, you must use Type A for your eCommerce store. The SAQ forms are based on the six steps we described earlier. You need to analyze your company’s practices and see if it meets all 12 requirements within those six steps. Do not forget that there are multiple subrequirement within those 12 requirements.

Step 4: Await Approval

All that is left for you to do is submit the documents to the brand or brands from which you seek validation. Your acquirer bank will also need copies. If they approve, then you will receive validation. Your website becomes PCI compliant, and you can boast about it to all who come to visit and shop. If they do not approve, then there is no need to worry — just make some changes and do better next time.

However, as we noted before, you cannot get too comfortable once they declare your website to be PCI-compliant. That certification is only good for one year, because good security requires maintenance and updating. You need to make sure that your systems and measures can meet their standards for the next assessment.

 

As we noted before, making your eCommerce website PCI-compliant requires a significant amount of work. Implementing these measures can also prove quite costly. For these and other reasons, you may want to consider creating your online store on an eCommerce website builder whose software has already been certified as PCI-compliant. 3dcart prides itself on its status as a validated service provider from the PCI SSC. Any website that uses the software will have security of the highest grade, both for customers and merchants.

Whether you base your store on an already compliant software or do the hard work yourself, PCI compliance is a worthy goal for any merchant. Regular security measures may be enough to reassure some potential customers that your website is safe. Receiving that certification, from the strictest security standards organization in the world, demonstrates that your business is devoted to their safety. If they can trust you the first time, then they are far more likely to come back many more times.