We use cookies to understand how you interact with our site, to personalize and streamline your experience, and to tailor advertising. By continuing to use our site, you accept our use of cookies and accept our Privacy Policy.

Your Digital Commerce Experts
Nexcess Logo

What Is PCI Compliance? Discover Why You Need It in Your Business

August 26, 2022

Ecommerce is the golden egg many brands are thankful for today. But the number one problem affecting its effectiveness is online payment fraud.

A recent study shows an estimated global loss of $20 billion in ecommerce, which went to fraud in the past year. The figures are on a shocking upward trajectory even now.

Payment Card Industry compliance, otherwise known as PCI compliance, ensures businesses that take credit card payments secure user data to prevent breaches that succumb innocent buyers to this fraud.

PCI compliance protects your business from fraud masterminds by:

  • Preventing malware and ransomware from being planted in your network.
  • Creating strong passwords that bar unwanted entry into the systems.
  • Preventing remote network access used to steal information to make fraudulent transactions.
  • Preventing scams by identity thieves who physically steal payment data at checkout to make fake cards.
  • Prompting you to update outdated software that may be susceptible to unauthorized access

Considering that 30% of fraud in the U.S. ecommerce space revolves around synthetic fraud, data authentication and protection must be foolproof.

Implementing a PCI compliance strategy in your business makes way for secure shopping. You can handle user data securely without the risk of loss or theft by hackers.

Let's look at what PCI entails in detail, who needs PCI compliance, and the requirements to be PCI compliant according to set standards. We'll also look into how you can set up your business as an ecommerce PCI-compliant store.

Here’s what we’ll cover:

Ecommerce PCI Compliance

PCI compliance is an ecommerce term referring to mandatory requirements for ecommerce merchants taking online credit card payments. The conditions, also known as Payment Card Industry Data Security Standards (PCI-DSS), are set by financial organizations to protect credit card data from malicious online shopping activities.

The PCI Security Standards Council (PCI-SSC) is at the forefront of PCI compliance regulations.

It consists of the five largest credit card brands: American Express, Discover, Visa, JCB, and Mastercard. These make up a majority if not all payment gateways available for credit and debit cards today.

These data protection standards are a must-have for businesses taking online payments via credit cards. The regulations put in place include data protection, installing network firewalls, and password access protection.

Who Needs PCI Compliance?

PCI DSS is a standard protocol that protects credit card data when making transactions on a network. The PCI council has a standard by which all merchants wishing to accept payments via credit card must abide.

The standards are in place to protect your system against malicious acts should your customer data leak. By abiding by these regulations, your business becomes PCI compliant.

Simply put, if your business accepts Visa, Mastercard, American Express, or any other credit card as a form of payment, you must have PCI compliance.

Note that the business size matters not as long as you take online credit card payments. That is why Walmart, Amazon, and small online businesses must comply with PCI Security Standards Council guidelines for card payments.

Why is PCI Compliance Important?

PCI compliance protects your customer's card information when making online transactions. It's central to your data protection policy in your business.

Moreover, here are five benefits your ecommerce store will enjoy by being PCI compliant:

  • Increased customer trust — You can securely protect your business's reputation with buyers by processing the data in a secure way.
  • Data protection and data breach prevention — Your customer's credit card information is secured from accidental loss or theft.
  • PCI compliance helps you set a foundation for any other security policy in your business — By limiting access to the network and assigning firewalls to your payment system, your network's security framework is solid.
  • Your business avoids the penalties associated with PCI non-compliance — Lack of PCI compliance can result in recurring penalties of up to $500,000.
  • Your business enjoys global security standards — Since PCI compliance is a worldwide standard, it means that top-tier security measures are recommended to everyone regardless of size, operational niche, or location.

What Happens if My Ecommerce Business Isn’t PCI Compliant?

PCI non-compliance works at a disadvantage to your enterprise. You're liable for any loss your business and the credit cardholders suffer if you fail to secure your store as an ecommerce PCI-compliant entity.

You risk paying thousands of dollars in non-compliance fines and losing trust with your clients. Because who wants to shop with an ecommerce platform with a history of fraud? No one.

Even worse, PCI-SSC may deem your store unfit to support credit card payments and revoke your access permanently.

The 4 PCI Compliance Levels

PCI compliance is broken into levels, determining which PCI compliance guidelines to follow. These levels are categorized by the number of ecommerce transactions a business does annually.

The four levels of PCI compliance for businesses.

The four levels of PCI compliance are:

Level 1 PCI Compliance

Level 1 PCI compliance certification consists of businesses processing over six million credit card transactions in a year.

These businesses have strict rules when it comes to PCI compliance, more than the other three levels. It requires more than just filling out a Self Assessment Questionnaire (SAQ).

A business boasting this level has to meet several PCI DSS requirements before passing as compliant with PCI DSS standards. One of these standards is an annual report by a Qualified Security Assessor (QSA) for vulnerabilities in the security system. The QSA does a physical onsite audit of your business payment system to check if it's PCI compliant.

An Internal Security Assessor (ISA) can also liaise with an external auditor to conduct a thorough network audit. An ISA can be a team member trained on PCI compliance guidelines.

You'll also need a quarterly scan of the network by an approved security vendor. The scan shows vulnerabilities in your servers, computers, cloud, and any other data storage facility you have for the business.

The third standard a level 1 business must have is a penetration test, which is an annual cybersecurity test into the network infrastructure.

Lastly, you require a duly filled Attestation of Compliance (AOC) form. An AOC affirms that you've understood what is needed and your business has complied with PCI DSS standards.

Level 2 PCI Compliance

A business that processes a million to six million credit card transactions annually is categorized under level 2 PCI compliance certification.

Compliance requirements in this level are less compared to level 1 but strict all the same. You must submit a filled-out SAQ together with an onsite QSA audit report. You'll also need an annual compliance report, especially if your business had a data breach previously. Your bank may also ask for a QSA report if necessary.

Another standard to meet will be a quarterly network scan done in the last six months by an approved vendor. Staple that together with an annual penetration test, an internal scan report, and the AOC form.

The only thing you don't need to submit for a level 2 business compared to level 1 is an onsite PCI audit by a QSA.

Level 3 PCI Compliance

A business with between 20,000 and a million credit card transactions annually falls under this category of PCI compliance certification.

For a level 3 PCI compliance certification, your business must submit a duly-filled SAQ, a quarterly scan done in the last six months, and a filled-out AOC. A penetration test isn't a requirement at this level.

JCB has only two PCI compliance levels: Level 1 and 2. All businesses with less than a million transactions qualify as level 2 businesses.

Level 4 PCI Compliance

Level 4 PCI compliance certification is for businesses that process less than 20,000 credit card transactions in a year.

First, a business must have never been affected by a credit card data breach before to undergo this certification. Otherwise, your bank may need further measures and documentation to cushion the risk. You also may need tests and audits to ascertain whether vulnerabilities still exist.

Level 4 businesses have it easy with PCI compliance certification, unlike the other PCI levels. You only need a filled SAQ, a quarterly vulnerability scan, and a filled-out AOC form.

Most small businesses will be capped at level 4, as they process less than 20,000 card transactions online. While the requirements for PCI compliance for levels 1, 2, and 3 are higher due to increased transactions, they're not far off from level 4.

Overall, you must account for your level's PCI requirements set by PCI-DSS. The PCI council offers a business self-assessment that you can use to determine which category your business falls into and what regulations to follow.

More information on what your bank needs is on the individual website of the credit card companies. If the mumble jumble is a little tasking, which it might be, consider the help of a qualified PCI compliance assessor. They will help you understand what your business needs to be accredited as PCI compliant.

Choosing a Self Assessment Questionnaire (SAQ):

All the talk about filling out a Self Assessment Questionnaire (SAQ) may have you wondering what it is. True to the word, an SAQ is a set of questions to answer when applying for PCI compliance certification.

PCI Data Security Standards have nine SAQs. You choose an SAQ according to how you process your credit card information. Below is a screenshot of the different types of Self Assessment Questionnaires.

Types of PCI DSS Self Assessment Questionnaires.

Who Is Responsible for Maintaining Ecommerce PCI Compliance?

PCI DSS compliance falls in the hands of the merchant, the web designer, and the web hosting provider. Each has a symbiotic role in ensuring that your store has the highest protection against payment data breaches.

It's also crucial to note that you, as the merchant, have the ultimate responsibility to ensure that your store meets the PCI DSS compliance requirements.

Go the extra mile by checking if your hosting provider complies with PCI DSS standards. You can have the most robust PCI compliance, but your server will be vulnerable if the hosting service you use in your business is not compliant. In a later section, we will see how you can point out a suitable PCI-compliant hosting for your business.

Another overlooked aspect of PCI compliance is the third-party software providers involved in your payment systems. Not all follow the laid PCI DSS guidelines. The harm to your business is unimaginable and more painful because you played your part, but your service provider failed you.

Prevent this by always checking for PCI compliance with every software provider you want to work with. Anything that goes to your network should be PCI compliant to prevent shock down the line.

Remember, keeping your customer's credit card information safe through PCI compliance spares you from penalties by the PCI-SSC. It's essential to keep all players on the ready.

Implementing PCI Compliance in Your Ecommerce Business

Now that you know what PCI DSS is and how your business can benefit from PCI compliance, how do you set it up in your store?

That is the big question. Let's make it not so big by going through the steps necessary to upgrade your payment systems to be PCI compliant.

First in the line is installing a PCI firewall in your network.

A PCI firewall is a shield that prevents data breaches from malicious third parties seeking to steal your customer credit card information. Installing an effective cloak for the data is paramount and in line with PCI DSS compliance.

Maintain your security firewalls by ensuring you're up to date with all developments, like fixing bugs and downloading the latest firewall version. Such knowledge will help you patch up vulnerabilities in your payment system as soon as they arise.

Below are measures that can save you the hustle of dealing with data breaches and, consequently, PCI DSS non-compliance:

  • Change your passwords to strong passwords only known to your in-house system administrators. You should update them with security patches frequently to prevent accidental leaks.
  • Restrict traffic to your payment systems; only allow what is necessary.
  • Avoid checking any boxes that say ANY in your firewall rules. Some programs may contain disguised malicious data packets that may breach your payment systems.
  • Deny access you didn't authorize to prevent secondary access into the systems.
  • Allow only established and verifiable connections into the network.
  • Turn on intrusion detection and blocking to sieve unwanted system visitations.
  • Turn on all notification settings. You can get first-hand alerts on what's happening in your systems.
  • Use Network Address Translation (NAT) to mask your IP addresses from the internet. Never use public networks to access your system.
  • Lastly, update all firewalls in your payments system frequently to patch up any vulnerabilities that might be present.
Minimum configuration for ecommerce PCI compliance.

A Checklist for Ecommerce PCI Compliance

While PCI compliance is a joint undertaking with your hosting provider, you must take responsibility for implementation. After all, you're the bigger risk bearer in your business.

PCI compliance varies between the levels, with level 1 standards different from level 4. However, there are pointers you can count on to ensure your business is PCI compliant.

Here is a round-up checklist of what you need to do to attain and maintain ecommerce PCI compliance in your business.

  • Host your website on a secure server.
  • Update your website with SSL encryption.
  • Have strong passwords, and change them regularly.
  • Disable unnecessary accounts on the payment system before deploying on the network.
  • Use trusted and effective antivirus software to protect the system against malware.
  • Encrypt all sensitive information captured, stored, or transmitted from your network.
  • Use firewalls to prevent unauthorized external access control to the network.
  • Create a secure network inventory of stored cardholder data.
  • Get secure payment gateways.
  • Use trusted third-party programs and approved scanning vendors (ASV).
  • Have a security assessment policy and train your staff on data protection.
  • Limit remote and physical access to network resources.
  • Carry out regular risk assessments, testing all your security parameters.

Using the above ecommerce PCI compliance checklist will ensure that your overall network is not affected by alien operators who can stain your card processing data. Compliance with PCI DSS is the only way to keep safe, especially when preventing credit card fraud.

Ecommerce PCI Compliance Hosting

As you may already know by now, your web hosting provider is integral to your PCI compliance strategy.

What should you consider when choosing a suitable PCI-compliant web hosting service?

Here are quick tips to help you out:

  • #Tip 1: Ensure that your hosting provider is PCI compliant. If unsure, ask the hosting provider for PCI compliance before hosting your network on their servers.
  • #Tip 2: Consider a web hosting company that offers payment gateways in their hosting plans. It saves you on costs, especially if you're on a budget. Plus, you're sure they're PCI compliant, which spares you the trouble of subscribing to another third-party service.
  • #Tip 3: Choose a large, established hosting company. An established hosting provider has long been in the game, and they understand how PCI compliance works. Nexcess, for example, has been operating for 25 years. The rule is that the bigger the hosting company, the better its PCI compliance history.
  • #Tip 4: Choose a website builder with ecommerce options to make integration within your website smooth. You can easily integrate ecommerce functions with popular platforms like WooCommerce into your store.

Final Thoughts — Ecommerce PCI Compliance: A Guide for Your Store [+ Checklist]

75% of Americans use credit cards for daily purchases like grocery stores or paying bills in restaurants. This figure increases when counting in online transactions.

As a merchant, it's your responsibility to protect your customers' credit card information by being PCI compliant. Complying with the PCI-DSS standards assures you of network security. It also saves you the potential loss from a data breach into your cardholder data environment.

Get reliable and all round PCI compliant hosting for your ecommerce business today with Nexcess.

Maddy Osman
Maddy Osman

Maddy Osman is a WordPress expert and WordCamp US speaker. She is a WordCamp Denver organizer and also operates The Blogsmith, an SEO content agency for B2B tech companies that works with clients like HubSpot, Automattic, and Sprout Social. Learn more about The Blogsmith's process and get in touch to talk content strategy: www.TheBlogsmith.com