Steps to PCI compliance
The convenience of Ecommerce for both buyers and sellers is hard to beat. However, there are risks involved every time credit card data is transmitted over the Internet. In an effort to mitigate risk and protect themselves from fraud, credit card companies created the Payment Card Industry Data Security Standards (PCI-DSS) that all Ecommerce sites must adhere to in order to be in compliance. If a site is audited and found to be not in compliance, very heavy fines can result.
When setting up and maintaining an Ecommerce site, the bulk of the site owner’s attention will be focused on maximizing sales through eye-catching designs, limited-time offers, coupons, social media integration, Search Engine Optimization (SEO), advertising campaigns, etc.
All of those efforts will be for naught if the site is not PCI compliant, but the comparatively dull effort to keep the site in PCI compliance is usually an afterthought.
Here are 5 basic ways to help keep your site in compliance. For further information visit the PCI website.
1. NEVER store credit card information on your site. This is probably the most important rule, and also the easiest to implement. If a hacker were to gain access to your site’s database, the first thing they would look for would be credit card information. Fortunately all modern Ecommerce platforms do not store credit information on site and pass the data securely to a reputable payment gateway such as PayPal and authorize.net. While it may be desirable to have access to customers’ credit card data to help them complete purchases in the future, the severe risks outweigh any possible benefits.
2. Keep your site secure for intrusion. General website security is a key component for PCI compliance. Basic rules of thumb include not using the username “admin” as an administrative username, making your passwords long and strong (p@55w0rd is not acceptable), and keeping your site up to date with the latest versions of core software and extensions. Please visit our more detailed discussion on website security
3. Use Secure Sockets Layer (SSL) encryption, and keep your certificates up to date. Wherever credit card data or administrative usernames/passwords are being transmitted, SSL should be in use. Many Ecommerce platforms give you an option to bypass SSL, but this should never be done in a production environment. In addition, your certificates should be kept up to date as an expired certificate will generate rather stern and warnings that will invariably drive potential customers away. A reputable hosting company will keep your certs up to date so you can focus on running your business.
4. Modernize your site. You may have paid a developer to build a state of the art Ecommerce site in 2002 that has been functioning just fine for years and you have never felt the need to fix what isn’t broken. Unfortunately, odds are your ancient but working site is almost definitely out of PCI compliance. The older the platform and associated version, the more knowledge about it exists in the hacking community and the more your site is ripe for exploitation. Furthermore, older versions of php are non-compliant per PCI standards, so be sure to check in with your hosting provider to make sure your site’s server is up to date with the latest patches. What good is a “bargain” $3/month hosting package when you could face thousands of dollars in fines?
5. Scan your site periodically for vulnerabilities. There are many services out there such as McAfee SECURE that will scan your site for PCI compliance and will provide a detailed report of areas that need attention. These services may have a cost associated with them, but they will save you a lot of potential grief down the road, and the reports will help you make your site better.
In Ecommerce, it pays to play by the rules.