PCI Compliance Checklist: What Every Ecommerce Business Needs to Know
It seems like every day we hear about a new data breach. In 2020 alone, major companies like J.Crew, Estee Lauder, T-Mobile, GE, Marriott, Avon, and Staples all experienced data breaches, costing large sums of money and damaging customer trust.
It’s easy to think, “that only happens to the big guys,” but the fact is, 90% of breaches impact small businesses. For this reason, eCommerce retailers that process credit or debit card payments online – so, just about all of them! – should be PCI compliant. So what is PCI compliance, and how can it help your business? Let’s dive in!
What is PCI Compliance?
PCI is an acronym for “Payment Card Industry.” You may also see it as PCI DSS, which stands for “Payment Card Industry Data Security Standard.” Either way, the PCI compliance definition is “a set of requirements intended to ensure that all companies that process, store, or transmit credit card information maintain a secure environment.”
PCI compliance was developed in 2006 by the PCI Security Standards Council (PCI SSC), an independent body made up of payment card industry leaders from Visa, MasterCard, American Express, Discover, and JCB (which is why is sometimes referred to as “credit card compliance”). Their goal is to protect all parties involved in payment transactions, including payment networks, processors, financial institutions, customers, and businesses.
Why is PCI Compliance Important?
PCI compliance is not a legal requirement. However, failing to follow PCI protocols could get eCommerce retailers into legal trouble. How? If your business suffers a data breach, and resulting investigations reveal that your processes were not PCI compliant, you may be subject to thousands of dollars in government and payment card issuer fines and fees, and lawsuits and insurance claims may be brought against you for failing to comply with PCI standards. In addition, you could lose customer confidence, valuable employees, the ability to accept payment cards (the death knell for online retailers) and be subject to higher costs of compliance.
So, while you can’t be penalized simply for being non-PCI compliant, you can be held accountable for any breach that occurs if you’re not compliant. And, as mentioned earlier, 90% of breaches impact small businesses, so it’s better to be safe than sorry.
You may be wondering why cybercriminals would want to go after small businesses; after all, there are much bigger fish to fry! Well, cybercriminals see small businesses as easy prey. They know that most large retailers will be PCI compliant and thus less vulnerable. However, they’re wagering that many small businesses have not taken the necessary steps to become PCI compliant, making them an easy mark.
6 Types of Security Breaches PCI Compliance Protects Against
While cybercriminals will always be looking for a way in despite protections (that’s just what they do), PCI compliance can do a lot to protect against the following six types of security disasters.
- Malware. Criminals use malicious software to infiltrate a computer system and steal payment data. Ransomware, in which a hacker holds data “hostage” in exchange for money in Bitcoin, is one of the fastest-growing forms of malware.
- Phishing. A common delivery vehicle for malware, phishing emails (such as an invoice or a request for information from the C-suite) look legitimate to convince people to open them. However, they contain malicious links or attachments that can infect a computer and the entire system.
- Remote Access. Weak remote access controls, for example, those used by your payment terminal vendors, allow cybercriminals to gain access to your systems that store, process, or transmit payment data.
- Weak Passwords. There’s a reason why passwords today are asking for different case letters, numbers, and special symbols: More than 80% of data breaches involve stolen/or weak passwords.
- Outdated Software. Flaws in outdated software often go “unpatched,” which makes them easy for cybercriminals to infiltrate.
- Skimming. While this only applies to physical store locations, skimming is when criminals attach small hardware "skimming devices" to card readers that steal customer payment data when they use payment cards. Then, counterfeit cards can be created to make illegal purchases.
The 4 PCI Compliance Levels
Think it’s not fair that your small business is held to the same PCI standards as a multi-billion dollar company like Amazon? The good news is that it’s not! There are four PCI compliance levels, which are determined by the number of transactions a business handles each year.
- Level 1: Merchants that process over 6 million card transactions annually.
- Level 2: Merchants that process 1 to 6 million transactions annually.
- Level 3: Merchants that process 20,000 to 1 million transactions annually.
- Level 4: Merchants that process fewer than 20,000 transactions annually.
The PCI SSC also offers a simple self-assessment questionnaire on their website that will help you determine which PCI Data Security Standard requirements are applicable to your business.
How Startups and Small Ecommerce Business Can Prepare Using This PCI Compliance Checklist
Below are the ways you can up your PCI compliance levels in order to protect your business and your customers. Think of this as your “PCI Compliance Checklist.” All 12 PCI compliance requirements pertain to a principle, and these principles are:
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
1. Use and Maintain Firewalls
When a cybercriminal or other unknown actor, malicious or otherwise, tries to access private data in your system, a firewall essentially blocks them from entering. Of course, firewalls are not impenetrable, and vulnerabilities can be found (which is why it’s important to maintain them through updates), but they’re a good first line of defense.
2. Use Proper Password Protections
Third-party software and hardware often come with generic passwords and default security measures that can easily be accessed by cybercriminals. To be PCI compliant, you need to change these passwords and adjust basic configurations, as well as keep a list of every device that requires a password or other means of access.
3. Protect Stored Cardholder Data
Cardholder data should never be stored beyond the time it takes to finalize a transaction unless required for legal, regulatory, or business needs. If storage is necessary, businesses must limit storage and retention time to a minimum, purging data at least every quarter. PCI compliance also addresses how primary account numbers (PAN) should be displayed, e.g. only revealing the first six and last four digits.
4. Encrypt Transmitted Data
When cardholder data is transmitted across public networks, this is a prime opportunity for cybercriminals to intercept it. This PCI requirement states that cardholder data must be encrypted whenever it is sent to these known locations and that it should never be sent to unknown locations.
5. Use and Maintain Antivirus Software
Antivirus software such as McAfee or Norton is required for any device that interacts with or stores PAN. Just like your firewall, this software needs to be regularly updated so that vulnerabilities can be patched. Check out PC’s list of the best antivirus software for 2021.
6. Maintain Secure Systems and Applications
Ecommerce businesses must keep software secure, working with their software vendors to ensure security patches are up to date and easily accessible and executable. In addition to deploying critical patches in a timely manner, businesses need to create a process for discovering new vulnerabilities and ranking them. These updates are especially important for all software on devices that interact with or store cardholder data.
7. Restrict Cardholder Data Access
Cardholder data is very sensitive information and should only be viewed only by agents who absolutely need to know it. The majority of your staff and third parties will not need access to this information, so it should be restricted. Those roles that do need access to this data should be highly documented and regularly updated.
8. Assign Unique IDs for Access
Rather than have a single login username and password for cardholder data, individuals who need access must have individual credentials and identification. This ensures that whenever someone accesses cardholder data, that activity can be traced to a known user or at least immediately recognized as unauthorized access. For remote access, two-factor authorization is required which provides an extra layer of security.
9. Restrict Physical Access to Data
All on-site cardholder data must be physically kept in a secure location, monitored, and require logs. Procedures to quickly identify people who don’t belong must be put into place. Backups must also be maintained at a secure secondary site. Lastly, when the business no longer needs the data, it must be destroyed.
10. Audit Networks Regularly
PCI compliance requires eCommerce businesses to monitor and test their networks on a regular basis to ensure there are no physical or wireless vulnerabilities. Automated audit trails are needed, along with the ability to reconstruct events, should a breach occur. Audit data must be secured and maintained for at least one year.
11. Scan and Test for Vulnerabilities
Vulnerabilities happen due to cybercriminal activity, malfunctions, human error, and the introduction of new code. This means that all internal and external systems and processes must be tested quarterly to ensure that security is maintained. Other ongoing PCI DSS requirements include penetration testing as well as the use of intrusion detection and prevention systems. In addition, file monitoring is required for PCI compliance so that alerts are raised anytime a user has modified content, configuration, or a system file in an unauthorized manner.
12. Document Security Policies
Inventory of equipment, software, and employees that have access to data will need to be documented for compliance. The logs of accessing cardholder data and the way in which information flows into your company, where it is stored, and how it is used after sales must also be documented. Additionally, an individual or a team needs to be appointed for creating security awareness initiatives and for screening prospective employees, contractors, etc. as part of the hiring process to avoid internal data breaches.
Budgeting for PCI Compliance
Achieving and maintaining the 12 steps of PCI compliance will undoubtedly cost money. Of course, how much money will depend on which level of compliance your business falls, the size of your organization, your company’s security culture, the type of technology you use, and whether you can afford a dedicated IT/PCI professional.
However, because the cost of non-compliance can be so great should a data breach occur (and it’s honestly not a matter of if, but when), it’s worth it to find the budget for it even if it means cutting expenses elsewhere or upping the pricing on certain products temporarily in order to raise the money. In the end, you’ll have a secure eCommerce business and peace of mind for you and your customers.
Reduce Data Security Concerns with The Fulfillment Lab
Technology provides eCommerce retailers with many benefits, from monitoring inventory to tracking shipments, payment processing to customer data security. Of course, acquiring these systems requires a big financial investment—and there’s always a learning curve!
When you offload order fulfillment to The Fulfillment Lab, a leader in eCommerce marketing with 14 international facilities, take the burden of shipping off your hands. You’ll also reduce a lot of your PCI compliance concerns because you’ll gain access to our cutting-edge Global Fulfillment System (GFS™) software. This secure system allows you to monitor inventory, track shipments, customize packaging, and process payments. Be sure to check out our blog, 10 Reasons to Use a Fulfillment Center for Your Ecommerce Shipping, for more, and don’t hesitate to contact us to learn more.