PCI DSS stands for Payment Card Industry Data Security Standard – it’s a security standard that was created by the Payment Card Industry Security Standards Council. The main purpose of this standard is to protect cardholder data, prevent credit card fraud and provide user confidence when using set cards online. PCI DSS compliance should be mandatory for all merchants accepting payment cards.
PCI Compliance is a set of 12 requirements that all merchants must meet in order to be compliant with the payment card industry security standard. If you are running an ecommerce business, then I’m sure that you have heard about PCI DSS compliance at least once or twice before. It doesn’t matter whether you are selling online, accepting payments in physical stores or both – you are required to comply with these 12 security standards.
Note: All credit card transactions that take place on your website will pass through a gateway provided by your payment processor. You can check out our complete list of the best payment gateways for small businesses here >>
It’s always better to be safe than sorry, right? In order to fulfill your PCI Compliance requirements, you need a solid ecommerce platform that supports all of these 12 requirements. As I mentioned before, there are some things that the platform should provide and some on your end.
Now let’s get started with 12 PCI DSS compliance requirements:
- Install and maintain a firewall configuration to protect cardholder data:
If you don’t already have a business-grade firewall, then I suggest that you get one. It’s not difficult and by having one in place, it will definitely help you secure your website against cyber attacks. Just make sure that it provides multi-layer protection and uses stateful packet inspection.
- Do not use vendor-supplied defaults for system passwords and other security parameters:
You should always pick something strong which can’t be easily guessed so that it would be harder to break into your website. Attackers are using automated software to scan websites in search of vulnerabilities – if they come across one, then they will exploit it and break into your system.
- Protect stored cardholder data:
You need to make sure that the cardholder data you store is safe and secure at all times. It’s also important to protect sensitive authentication data such as the Primary Account Number (PAN). The information should be encrypted or truncated.
- Encrypt transmission of cardholder data across open, public networks:
Attackers can intercept your network traffic and steal sensitive information such as credit cards if it’s not encrypted. In order to prevent this from happening, you have to encrypt the website traffic with a Secure Sockets Layer (SSL) certificate. If you are using a custom online store, then this should be something that the platform provides.
- Use and regularly update anti-virus software:
When it comes to malware attacks, nothing can stop them from entering your system except for a good antivirus software. Malware is probably one of the most common causes of data loss today so you should invest in one and use it every day.
- Develop and maintain secure systems and applications:
Developers must follow security best practices when writing code – they should use the latest encryption, hashing and randomization techniques to protect sensitive data such as credit cards. There are open source projects such as OWASP (https://www.owasp.org/) that can help you build secure systems and applications.
- Restrict access to cardholder data by business need-to-know:
Make sure that only authorized personnel have access to the payment system and cardholder data – if possible, limit the number of employees who are given access to this information. That way, if a cyber criminal manages to break into the system, they wouldn’t be able to access as much information as possible.
- Identify and authenticate access to system components:
In order to make sure that only authorized personnel have access to your payment system, you need to track user activity and identify discrepancies – if an account is accessed from two different locations at the same time, then you should flag it as suspicious.
- Restrict physical access to cardholder data:
If possible, keep your cardholder data in a secure environment such as a locked cabinet to prevent unauthorized personnel from accessing it – if there’s a fire or flood and you have to evacuate the building, then you should take your computer and any payment terminals with you.
- Track and monitor all access to network resources and cardholder data:
In order to make sure that only authorized personnel have access to your system, it’s important that you track user activity and identify discrepancies – if an account is accessed from two different locations at the same time, then you should definitely flag it as suspicious.
- Regularly test security systems and processes:
It’s also important to make sure that new employees are thoroughly vetted before they are given access to your system – malicious actors often try to pass off as an authorized user by supplying fake credentials.
- Maintain a policy that addresses information security:
Make sure that all employees are aware of the importance of protecting sensitive data. As an incentive, they should be recognized for their efforts if they do report any issues to you – this will definitely encourage them to do it more often. It’s also important that you have an incident response plan that is followed every time there’s a security incident.