PCI Compliance Checklist For eCommerce Businesses

PCI Compliance Checklist For eCommerce Businesses

Early Years

A PCI compliance checklist was needed in the early years of eCommerce because there were no set standards for web site architecture design or configuration—let alone measures to protect sensitive data such as credit card numbers and data tracking. With the increasing instances of unauthorized transactions reported by consumers, Visa launched its own requirements and standards platform to be followed by any retailer conducting business on the Internet and accepting Visa as a tender.

There were other credit card brands working on similar projects at the time, but Visa had the strongest requirements. Eventually the brands came together and helped form the Payment Card Industry Data Security Standard (PCI DSS) council to create a formal set of requirements and standards that covered all brands. The standards help to not only protect the card brands, but also retailers and consumers.

Definition of a PCI Compliance Checklist and Why It’s So Important

PCI DSS is so important because it provides a set of baseline requirements and standards on how to protect consumer credit card data, which is referred to as cardholder data or CHD. The standards help guide companies on how to initially build an internal Information Security program, and design it to meet their own business needs. The requirements and standards also help to identify where and how CHD is coming from, moving through, and ultimately being stored. Mapping how the data moves throughout a company’s network is one of the first steps to knowing how to protect it.

Why Your Business Will Be Better With a Comprehensive PCI Compliance Checklist

A PCI compliance program is just one piece of a company’s overall Information Security program. There is a symbiotic relationship between the programs. Having one helps to strengthen the other. The PCI compliance program helps to identify a basic set of standards that, when implemented correctly for the business, help to strengthen the company’s overall Information Security program.

Risks of Being Non-Compliant

The risks range from monetary fines imposed by the card issuers to loss of consumer trust in the businesses who are found to be non-compliant. Trust is built over years and can be as valuable as any product sold. Beware of violating that trust by not protecting consumer card data as the effects of that can have a lasting impact on your business.

What You Need to Do to Protect Your Business

The latest update to the standard, PCI DSS v3, has six main requirements that are broken out into twelve sub-requirements that contain more than three hundred specific standards that have to be met. These standards have one main goal in mind: protecting cardholder data. That is the golden nugget that every person with malicious intent is trying to get to. Once they have cardholder data, it can be used for their own profit at the expense of the consumer, partner, business, and the card issuers.

If You Were Writing a PCI Compliance Checklist, What Would You Include?

The PCI DSS provides a general set of standards that can be implemented across any business model. Over the years the council has improved on the language, definitions, and applicability of the requirements and the changes have incrementally helped to improve PCI DSS compliance as a whole. Your PCI compliance checklist should include the following:

How Does Magento Help Businesses Remain Compliant?

Magento offers a payment application/bridge that meets a specific version of the PCI DSS, the PA DSS or Payment Application Data Security Standard. This standard is a stand-alone certification process offered by the council. Magento’s payment application/bridge has undergone the process to become PA DSS certified. While Magento provides a PA-DSS compliant application/payment bridge, it does not make you PCI compliant automatically due to the number of PCI controls that lie outside the Magento platform.

For more information about completing your PCI compliance checklist or recommendations for a qualified security assessor, contact Magento online.