With all the buzz about PCI compliance deadlines looming in 2018, we’ve had a few clients ask us what they should do to make their websites PCI compliant. In this article, we’ll clear up some misconceptions about PCI compliance and explain what it is, why it’s so important and what needs to be done to make your website PCI compliant, if need be.
What Is PCI Compliance?
The Payment Card Industry Data Security Standard (PCI DSS) main purpose is to make personal card holder information more secure and to protect consumer data as well as prevent security breaches. PCI compliance applies to all businesses that accept major credit card payments (American Express, Discover, JCB, MasterCard, Visa). Businesses and organizations fall under four different levels of compliance; each level is based on transaction volumes per year and also how the card data is collected, handled and stored electronically.
- Level 1: over 6 million card transactions
- Level 2: 1 to 6 million card transactions
- Level 3: 20,000 to 1 million card transactions
- Level 4: less than 20,000 card transactions
How Much Does PCI Compliance Cost?
Obtaining a compliance certification can cost anywhere from $1,000 to $50,000 USD per year. It seems like a hefty fee, but beware that non compliance is even costlier. Non compliance can make your business vulnerable to security data breaches; you are also responsible for costs of replacing credit cards, and you may even have to pay some pretty hefty fines in some instances.
Why Is PCI Compliance So Important in 2018?
PCI compliance ensures security for credit card handling for both the merchant and the card holder. It minimizes security breaches and identity theft. If your business is not PCI compliant, you might no longer be able to accept credit card payments which means a huge loss of potential and existing customers.
How to make a website PCI compliant
If your website is taking money or receiving donations of any kind via credit card then, YES, you should be PCI Compliant.
Here are some easy steps you can take to ensure you’re being compliant.
1. Build and Maintain a Secure Network
Install and maintain a firewall
Change the default passwords supplied by vendors for systems and security parameters
Store shared passwords in a secure location like Lastpass
2. Protect Your Users’ Credit Card Data
All users’ card data should be securely stored
Cardholder data should be securely transmitted or stored across public networks
3. Have an Ongoing Vulnerability Management Program
All systems should be protected against malware using up-to-date antivirus programs
All systems and applications developed should be secure and regularly maintained
4. Strong Data Access Measures
Cardholder data should be restricted to authorized employees of your business
Implement a way to identify and authenticate parties that access your systems
Restrict physical access to cardholder data
5. Ensure Network Integrity
Track and monitor access to all cardholder data and network resources
Test network security regularly to ensure its integrity
6. Information Security Policy
Put in place an information security policy
Final Thoughts on PCI compliance
Your goal should be to create a memorable experience that provides value for your customers, every time a customer accesses your website. PCI compliance may not directly be a part of your business, however, if your user’s credit card information is compromised as a result of visiting your website, it can create a negative reputation of your organization that can be hard to bounce back from.