PCI Compliance Checklist for Ecommerce Businesses
If you run an online business that handles credit card transactions, you need to follow the Payment Card Industry Data Security Standard (PCI DSS) by law.
Following the requirements can be confusing – but it’s essential you get it right. In this guide, we’ll set out a clear PCI compliance checklist for you to take in and tick off.
In this PCI compliance guide:
- What is PCI compliance?
- Why is PCI compliance necessary?
- Why PCI compliance is so important to ecommerce
- Why your business needs PCI compliance
- What to include on your PCI compliance checklist
- How does Adobe Commerce help businesses stay compliant?
- PCI compliance — frequently asked questions
What is PCI?
The Payment Card Industry Data Security Standard regulates the handling of cardholder data. MasterCard, Visa, JCB International, Discover, and American Express created the standards in 20061. PCI released Version 4.0 of their regulations in March 20222.
Cardholder data refers specifically to:
- credit card numbers
- cardholder names
- expiration dates
- security codes
PCI compliance is essential whether you process three credit card transactions a month, or 3,000. It applies to any business or merchant that stores, transmits, accepts, or processes cardholder data. This could be an on-premise or cloud commerce solution.
Why is PCI compliance necessary?
In the early days of ecommerce, industry standardization and compliance was much needed. Back then, there were no set standards for website architecture design or configuration — let alone measures to protect sensitive data such as credit card numbers and data tracking.
With the increasing instances of unauthorized transactions reported by consumers, Visa launched its own requirements and standards platform to be followed by any retailer conducting business on the internet and accepting Visa as a tender.
There were other credit card brands working on similar projects at the time, but Visa had the strongest requirements. Eventually the brands came together and helped form the Payment Card Industry Data Security Standard (PCI DSS) council to create a formal set of requirements and standards that covered all brands. The standards help to not only protect the card brands, but also retailers and consumers.
The different levels of PCI compliance.
There are different levels of PCI compliance, which vary based on the number of transactions are made with a company. Level one is the strictest level of PCI, whereas four is the least.
Why PCI compliance is so important to ecommerce.
PCI DSS provides a set of baseline requirements and standards on how to protect consumer credit card data, which is referred to as cardholder data or CHD. The standards help guide companies on how to initially build an internal Information Security program and design it to meet their own business needs.
The requirements and standards also identify where and how CHD is coming from, moving through, and ultimately being stored. Mapping how the data moves throughout a company’s network is one of the first steps to knowing how to protect it.
Even some of the biggest companies in the world are vulnerable to data breaches.
- In 2017, Verizon Communications announced that every single Yahoo account was affected by breaches starting in 2013. This included over three billion accounts3.
- In 2018, 500 million Marriott Hotels customers had their data hacked. Within this tranche of data was passport numbers, names, addresses and encrypted card details4.
- In 2019, Macy’s reported a data breach after hackers attached malicious code to its Checkout and My Wallet pages5.
PCI DSS 4.0 attempts to combat the rise in cybersecurity. If you follow the 12 requirements and its sub-requirements, you can help too.
Why PCI compliance is essential to your business.
A PCI compliance program is just one piece of a company’s overall Information Security program. There is a symbiotic relationship between the programs – one strengthens the other.
The PCI compliance program helps to identify a basic set of standards that, when implemented correctly for the business, help to strengthen the company’s overall Information Security program.
Risks of being non-compliant.
The risks range from monetary fines imposed by the card issuers to loss of consumer trust in the businesses who are found to be non-compliant. Card issuers can impose fines between $5,000 to $50,0006 per month. Card issuers can also suspend the use of credit cards on your site6.
Trust is built over years and can be as valuable as any product sold. Beware of violating that trust by not protecting consumer card data as the effects of that can have a lasting impact on your business.
What you need to do to protect your business.
The latest update to the standard, PCI DSS 4.0, has six main requirements that are broken out into 12 sub-requirements that contain more than 300 specific standards – all of which need to be met. These standards have one main goal in mind: protecting cardholder data. That is the golden nugget that every person with malicious intent is trying to get to. Once they have cardholder data, it can be used for their own profit at the expense of the consumer, partner, business, and the card issuers.
What to include on your PCI compliance checklist.
The PCI DSS provides a general set of standards that can be implemented across any business model. Over the years the council has improved on the language, definitions, and applicability of the requirements and the changes have incrementally helped to improve PCI DSS compliance as a whole.
Your PCI compliance checklist should include the following:
- Use a firewall between the payment card data and the public network, and keep the firewall updated. This includes creating a ‘secure zone’ for card data sources and ensuring outbound connections from your CDE are explicitly authorized.
- Don’t use vendor-supplied default passwords that come with network equipment or devices used in payment processing. This involves traffic encryption and using a VPN for web-based data management.
- Do not store cardholder data. If you have a business need to keep cardholder data, make sure you use strong encryption. You can use Adobe Commerce’s BrainTree extension to shift the storage of cardholder data off of your system. Make sure to document any data retention policy and eliminate card data after use.
- Use encryption to protect all transmission of cardholder data over any public network. Ensuring that your encryption keys are valid and trustworthy.
- Use antivirus software on all machines in the cardholder data environment and ensure that the software is regularly updated. You’ll need to deploy anti-virus software on programs that are commonly targeted by hackers.
- Check that your card processing systems have vendor-supplied security patches installed. Make sure to install all security updates within one month of release.
- Limit access to cardholder data to as few people as possible. You’ll also need to train your staff for their specific security level.
- Assign a unique ID number to each user so that everyone is accountable for his own actions. It’s also important to disable remote accounts when they’re not in use.
- Restrict physical access to the cardholder data environment. This involves destroying media where needed and using secure couriers.
- Monitor all access to the network and cardholder data environment. Use audit and review logs regularly.
- Regularly test your security systems and network environment. Use internal and external vulnerability tests and scans.
- Maintain a security policy and ensure that all personnel are aware of it. Written security and compliance policies are essential to your data security.
PCI compliance checklists: frequently asked questions.
What does PCI compliance mean?
Payment card industry (PCI) compliance helps ensure credit card data security for online merchants. It includes technical and operational standards, as mandated by card issuers such as Visa, MasterCard, and American Express. The standards are developed and managed by the PCI Security Standards Council.
Do I need to be PCI compliant?
If you handle, process, transmit, or store credit card data of any sort, you need to be PCI compliant. Though there are 12 PCI recommendations in total, there are four separate levels of compliance. You’ll need to complete a PCI self-assessment to work out your exact requirements.
What happens if I’m not PCI compliant?
If a data breach occurs and you’re not PCI compliant, you can face fines and suspensions from credit card trading. It’s essential that you keep your business up to date.
How does Adobe Commerce help businesses stay compliant?
Adobe Commerce, powered by Magento, offers a payment application/bridge that meets a specific version of the PCI DSS, the PA DSS or Payment Application Data Security Standard.
This standard is a stand-alone certification process offered by the council. Adobe Commerce’s payment application/bridge has undergone the process to become PA DSS certified.
While Adobe Commerce provides a PA-DSS compliant application/payment bridge, it does not make you PCI compliant automatically due to the number of PCI controls that lie outside the Adobe Commerce platform.
For more information about completing your PCI compliance checklist or recommendations for a qualified security assessor, contact Adobe Commerce online.