Key Points
- PCI Compliance: Necessary for websites using online payments.
- Non-Compliance Consequences: Financial penalties on the company, not web developer or hosting company.
- Ecommerce Website Risks: Vulnerable to hacking, credit card theft, and security breaches.
- Data Breach Costs: Average cost is high, especially for large websites.
- PCI DSS Requirements: Include system protection, data encryption, and access control.
- OptiCred Solution: Provides tools and features to support efforts in meeting PCI DSS requirements.
Introduction
If you are going to use online payments on your website then it must be PCI compliant. The Payment Card Industry Data Security Standard (PCI DSS), is a set of security guidelines applicable to all organizations that accept, store, and process credit card information. Even if you leverage third-party services like Stripe, Recurly, PayPal, or another secure payment option, you have an obligation to follow the requirements as set forth by PCI DSS.
If your website is found to be non-compliant with PCI standards, your company will be the one incurring the financial penalties because of it. Your web developer or web hosting company will not be fined.
Not doing so could open your business up to being sued by customers if there is a security breach, and/or to fines by your credit card processor.
If the breach is big enough and the fines are heavy enough, it could force your company out of business.
How big of a target is your ecommerce website?
With automated scripts, hackers can find websites with an online store, scan for vulnerabilities, and gain unauthorized access. Small web stores with few sales aren’t exempt — criminals are opportunists and will target any accessible websites or server resources. It is often easier to hack a thousand small ecommerce websites than it is to hack one large online retailer.
Ecommerce websites are susceptible to a number of risks and threats:
- Credit card stealers put your customers at risk of identity theft or credit card fraud.
- Hijacking causes loss of sales when customers are redirected to a fake shopping cart.
- Injected website content can spread spam, malware, and malvertising.
- Server resources can be stolen and used in malware campaigns, DDoS attacks, etc.
- Hacked sites can be blocked by search engines, antivirus programs, and browsers.
- Because there will always be some level of risk, security is a continuous process.
Non-compliant ecommerce websites often suffer hefty penalties by payment industry regulators if their customers complain about fraud after using the site.
PCI standards show that the average cost of a breach for a large website is 4 million dollars, whereas the average cost of a data breach for SMB is $86,500.
If a data breach occurs for your ecommerce store, you may even have the ability to accept payments by credit cards suspended or revoked.
How to be compliant?
The current version of the PCI DSS is 3.2.1, published in May 2018. While the PCI DSS has only 12 major requirements, each one can have a dozen or more sub-requirements.
Here is an overview of the requirements:
PCI DSS Requirement 1: Protect your system with firewalls
PCI DSS Requirement 2: Configure passwords and settings
PCI DSS Requirement 3: Protect stored cardholder data
PCI DSS Requirement 4: Encrypt Transmission of Cardholder Data
PCI DSS Requirement 5. Protect all systems against malware and regularly update anti-virus software or programs
PCI DSS Requirement 6: Develop and Maintain Secure Systems and Applications
PCI DSS Requirement 7: Restrict access to cardholder data by business need-to-know
PCI DSS Requirement 8: Assign a unique ID to each person with computer access
PCI DSS Requirement 9: Restrict physical access to workplace and cardholder data
PCI DSS Requirement 10: Implement logging and log management
PCI DSS Requirement 11: Conduct vulnerability scans and penetration tests
PCI DSS Requirement 12: Documentation and risk assessments
Simplify PCI Compliance with OptiCred’s Advanced Security Solutions
For many companies, the PCI DSS requirements can seem overwhelming. With OptiCred you get a secure environment for your website and you will automatically meet several of the most complex requirements. Among other things our solution will help you with:
- Fully managed and updated web application firewall
- Protection against OWASP Top 10 threats
- Application security monitoring and virtual patching
- Real time alerting, incident handling and response
- Continuous analysis of WAF and environment logs
- Vulnerability scanning and reports