Is Your Web Developer or Hosting Company Liable if Your Website is Not PCI Compliant

by | Jan 23, 2024 | Cyber security, Website Security

Key Points

  • PCI Compliance: Necessary for websites using online payments.
  • Non-Compliance Consequences: Financial penalties on the company, not web developer or hosting company.
  • Ecommerce Website Risks: Vulnerable to hacking, credit card theft, and security breaches.
  • Data Breach Costs: Average cost is high, especially for large websites.
  • PCI DSS Requirements: Include system protection, data encryption, and access control.
  • OptiCred Solution: Provides tools and features to support efforts in meeting PCI DSS requirements.


If you are going to use online payments on your website then it must be PCI compliant. The Payment Card Industry Data Security Standard (PCI DSS), is a set of security guidelines applicable to all organizations that accept, store, and process credit card information. Even if you leverage third-party services like Stripe, Recurly, PayPal, or another secure payment option, you have an obligation to follow the requirements as set forth by PCI DSS.

If your website is found to be non-compliant with PCI standards, your company will be the one incurring the financial penalties because of it. Your web developer or web hosting company will not be fined.

Not doing so could open your business up to being sued by customers if there is a security breach, and/or to fines by your credit card processor.

If the breach is big enough and the fines are heavy enough, it could force your company out of business.

Blog image showing shield for website protection, credit card for PCI compliance, and padlock for security, with a tech-themed background

How big of a target is your ecommerce website?

With automated scripts, hackers can find websites with an online store, scan for vulnerabilities, and gain unauthorized access. Small web stores with few sales aren’t exempt — criminals are opportunists and will target any accessible websites or server resources. It is often easier to hack a thousand small ecommerce websites than it is to hack one large online retailer.

Ecommerce websites are susceptible to a number of risks and threats:

  • Credit card stealers put your customers at risk of identity theft or credit card fraud.
  • Hijacking causes loss of sales when customers are redirected to a fake shopping cart.
  • Injected website content can spread spam, malware, and malvertising.
  • Server resources can be stolen and used in malware campaigns, DDoS attacks, etc.
  • Hacked sites can be blocked by search engines, antivirus programs, and browsers.
  • Because there will always be some level of risk, security is a continuous process.

Non-compliant ecommerce websites often suffer hefty penalties by payment industry regulators if their customers complain about fraud after using the site.

PCI standards show that the average cost of a breach for a large website is 4 million dollars, whereas the average cost of a data breach for SMB is $86,500.

If a data breach occurs for your ecommerce store, you may even have the ability to accept payments by credit cards suspended or revoked.


How to be compliant?

The current version of the PCI DSS is 3.2.1, published in May 2018. While the PCI DSS has only 12 major requirements, each one can have a dozen or more sub-requirements.

Here is an overview of the requirements:

PCI DSS Requirement 1: Protect your system with firewalls

PCI DSS Requirement 2: Configure passwords and settings

PCI DSS Requirement 3: Protect stored cardholder data

PCI DSS Requirement 4: Encrypt Transmission of Cardholder Data

PCI DSS Requirement 5. Protect all systems against malware and regularly update anti-virus software or programs

PCI DSS Requirement 6: Develop and Maintain Secure Systems and Applications

PCI DSS Requirement 7: Restrict access to cardholder data by business need-to-know

PCI DSS Requirement 8: Assign a unique ID to each person with computer access

PCI DSS Requirement 9: Restrict physical access to workplace and cardholder data

PCI DSS Requirement 10: Implement logging and log management

PCI DSS Requirement 11: Conduct vulnerability scans and penetration tests

PCI DSS Requirement 12: Documentation and risk assessments

Simplify PCI Compliance with OptiCred’s Advanced Security Solutions

For many companies, the PCI DSS requirements can seem overwhelming. With OptiCred you get a secure environment for your website and you will automatically meet several of the most complex requirements. Among other things our solution will help you with:

  • Fully managed and updated web application firewall
  • Protection against OWASP Top 10 threats
  • Application security monitoring and virtual patching
  • Real time alerting, incident handling and response
  • Continuous analysis of WAF and environment logs
  • Vulnerability scanning and reports
How Hackers May Hurt Your Organic Search Rankings

How Hackers May Hurt Your Organic Search Rankings

Explore the critical link between website security and SEO in our latest blog post. Learn how hacking can significantly impact your site’s search rankings and discover effective strategies to safeguard your online presence. From understanding different hacking methods to implementing robust security measures, this article is a comprehensive guide for website owners striving to maintain both security and SEO excellence. Dive in to protect and enhance your website’s performance in the digital world.

The Evolution of Website Malware: How to Stay Protected in 2024

The Evolution of Website Malware: How to Stay Protected in 2024

As digital threats evolve, staying ahead of cybersecurity in 2024 is crucial. In 2023, new malware like RogueRaticate, Fake Browser, and SocGholish have emerged, demonstrating increased sophistication. This blog post delves into the latest trends in website malware and offers effective strategies for businesses, to especially SMBs, to bolster their defense against these evolving cyber threats. Learn how to safeguard your digital presence in a rapidly changing cyber landscape.