The Payment Card Industry Data Security Standard (PCI-DSS) is a set of standards that is required for any business (of any size) which accepts credit cards. It was created by Visa, Mastercard, AMEX, Discover and JCB (as a group) to reduce credit card fraud and increase controls around credit card data. If your company accepts one of these cards, this applies to you.
For the owner of a WordPress site that accepts credit cards via WooCommerce, a simple payment form or other shopping cart (or any other e-commerce website), what’s most important to understand is that PCI-DSS compliance is a standard that must be maintained in order to continue accepting credit cards. Penalties for non-compliance range from $50,000 and go up (way up) from there.
In a nutshell, PCI compliance means keeping cardholder data safe from hackers and others who intend to steal it. This is incredibly important for eCommerce as well as other financial industries such as credit union website design. PCI compliance includes security measures such as SSL encryption (you can tell if a page is encrypted because it begins with https:// instead of http://) and network security such as firewalls, regular anti-virus scanning and other security measures (including the way that you access your customers’ payment card data) to keep the data safe from prying eyes (and robots).
It is worth noting that PCI compliance needs the ongoing attention of several people:
- The web developers who design, configure and code your website and e-commerce process
- The system administrators who maintain the network servers that the site is hosted upon (sometimes these are the same people as those in the first bullet, but usually not)
- The company selling the product / service being paid for by credit card
Each of these people have separate and crucial responsibilities in the process, and they all come together in a PCI compliance report – which is, at its heart, a list of practices to be adhered to as well as a list of vulnerability test results. When passing, it will be a report listing each criterion (such as “server accepts plain text credentials” or “website allows insecure cookies to be set”) with a green check-mark. When all of the check marks are green, a large PASS appears at the top. Pretty simple, right?
Since configuration settings sometimes change on websites and / or servers when new plugins or server updates occur, it is important that they are maintained regularly.
A PCI compliance report includes a self-assessment questionnaire to be filled out by the business owner as well as a website vulnerability scan which is completed by the web developer and / or system administrator. The scan assesses the website and the network server that it is hosted on, the network itself, and any other application that may be employed on the site. As you may imagine, these are fairly technical and can be quite complex, but the report comes down to a simple pass/ fail.
PCI compliance and website security in general deserve attention before there is a security problem. WordPress, just like every computer application, has some unique security considerations when it comes to PCI compliance.