PCI compliance rules were established by the Payment Card Industry (PCI) to help improve data security and reduce fraud. Although these guidelines are not technically mandatory, card-accepting businesses may be subject to fines, litigation or termination of their merchant accounts if fraud occurs within their payment environments. In other words, banks and payment processors may provide the technology to accept payments, but merchants are still responsible for the way they process and store sensitive credit card data, and any fraudulent activity that may arise from that. Even in the absence of liability rules, PCI compliance is a good idea since these data security guidelines help protect your business and customers from fraudulent attacks. A useful analogy is the seatbelt. In New Hampshire, for example, adult drivers aren’t technically “required” to wear them. But because seatbelts save lives, you should buckle up anytime you’re in a car.
PCI Compliance in the Online World
PCI-compliant fraud protection is essential for all businesses. It’s particularly important in e-commerce since buyers and sellers never meet face to face. With no way to independently verify the identities of anonymous shoppers, online credit card fraud is now a $6.4 billion industry for criminals. The biggest targets of fraudulent attacks are usually the smallest players. According to some estimates, 60 percent of all cyberattacks are directed toward small to medium businesses because these merchants often lack the technical know-how and resources to protect themselves. Fortunately, a growing number of e-commerce tools have begun placing greater emphasis on fraud management — from shopping carts to plugins to content management system (CMS) suites. If you currently use platforms such as WordPress or WooCommerce, becoming PCI-compliant is easier than ever before. But it’s not automatic. There are steps you must take to make your website compliant with the Payment Card Industry’s data security guidelines. Those steps apply to any merchant accepting credit card transactions whether you rely on Drupal, Joomla! or Magento to run your business. As WordPress is the most widely used CMS suite, and the WooCommerce plugin is arguably the most popular e-commerce platform, we’ll use these tools in the examples below.
WordPress PCI Compliance: Taking Steps to Protect Yourself
The most important starting point involves choosing a PCI-compliant payment processor. If your provider doesn’t follow the latest security best practices, none of the other steps on this list matter. Choose a processor that can provide you with a secure payment gateway. Once this is done, you can move on to the next steps.
1. Determine your merchant level
The PCI compliance rules change depending on the transactional volume of your business. To know what guidelines you must follow, you must determine your merchant level type. If you’re like most small businesses, you probably qualify for Level 4 — which has the easiest compliance process. To be sure, you should verify your status first.
2. Self-assessment questionnaire
The next step involves taking a self-assessment questionnaire (SAQ) to determine your current risk exposure. These tests can seem overwhelming at first, but most of the questions require simple yes/no responses.
3. Approved scanning vendor
Although not always required, it’s a good idea to include an approved scanning vendor (ASV) that can use automated tools to detect potential vulnerabilities in the software and hardware that manages payment data.
4. Security policies and training
The steps above will push you toward PCI compliance, but to remain compliant, you also need to stay on top of:
- Software updates
- Security patches
- Antivirus protection
- Malware scanning
In addition, you must train your employees how to properly manage payment information — preferably on a need-to-know basis. It also helps to have everyone select long, alphanumeric passwords for all logins.
5. Secure sockets layer certificate
A secure sockets layer (SSL) certificate is an add-on credential that lets online shoppers know they have a direct, encrypted connection with your website (instead of a copycat’s). Once this SSL certificate is installed, your site’s domain will have an extra “s” at the end of the “http” prefix (i.e., https).
6. More verification details
For an online sale to go through, most e-shopping carts require the cardholder’s name, account number and expiration date. These represent the bare minimum in security, especially given that online fraud leads to billions in annual losses. Therefore, you should consider also requiring additional authentication details such as billing addresses and card verification values (CVVs).
7. The right plugins and tools
Technically speaking, WordPress isn’t PCI-certified. Neither is WooCommerce, for that matter. However, both were designed from the ground up, with security in mind. For example, WordPress comes with admin controls that allow you to restrict access for each individual user. WooCommerce never stores credit card details, making it impossible for thieves to get their hands on payment data. Learn more in our companion article; WooCommerce and PCI Compliance. You don’t have to choose these specific tools, but whatever platforms and plugins you use should come with comparable levels of compartmentalization and control.
WordPress PCI Compliance — One Final Step
There’s one last piece of the puzzle: You need to share all of the above with your payment processor and bank to earn “PCI Compliance” status (and you must send quarterly reports to remain in good standing). True compliance isn’t a one-time fix. As fraudulent strategies evolve, the steps used to prevent future attacks must also change over time. If you have questions about PCI compliance, or if you’re not sure how to get started, you can refer to the accompanying infographic. It covers many of the most popular myths and misconceptions that small online businesses have about payment security.
Author bio: Kristen Gramigna is Chief Marketing Officer for BluePay, provider of fast, easy and secure payment processing solutions. She brings more than 20 years of experience in the bankcard industry in direct sales, sales management and marketing.