In order to accept credit card payments online or offline, you must comply with the credit card associations and networks rules concerning data security, with the objective to protect cardholder data. This has been standardized throughout the payment processing industry under the Payment Card Industry Data Security Standard (PCI DSS).
You are required to be PCI compliant if you accept any payment cards such as American Express, Discover Network, Diners Club International, JCB, MasterCard and Visa. This includes credit cards, debit cards, prepaid cards and gift cards.
When you accept payment cards online through a merchant account, some of the details of PCI compliance are handled by your web host, some are handled by your merchant account provider (payment processor), and some aspects are handled by you (the merchant).
Server PCI Compliance
This component is handled by us. Our Business account plan servers have been updated for PCI compliance. If you'd like us to assist you in making your server PCI compliant or have any questions please submit a ticket to Support.
Payment Processing Company PCI Compliance
This component is handled by your payment processing company. They are responsible for maintaining their own secure network environment.
(Your payment processing company can also guide you on how to be PCI compliant. They are a good resource to contact about PCI Compliance questions.)
SSL and Secure Certificates
In addition to the servers being PCI compliant (which we handle for you), the credit card associations and networks also require that you use SSL whenever you transmit credit card information, such as the card number, cardholder's name, expiration date, CVV code, etc. (such as when a customer enters their credit card on your shopping cart order form or payment page). This is an important part of making your website PCI compliant.
Please refer to our article on SSLs for more details on why and when you would need an SSL Certificate and our article on obtaining and installing an SSL certificate for more info on how to get it implemented.
Shopping Cart, Order Page, Website Coding
The shopping cart or order page code used on your website is required to be PCI Compliant as well. Many shopping carts and e-commerce software will indicate that they are PCI compliant.
Some of the items required to be PCI compliant include:
The use of complex and unique passwords to access the e-commerce systems to prevent unauthorized access.
Note: be sure not to use the default passwords that came with your shopping cart or e-commerce software or POS system.
Only authorized staff members can access cardholder data.
Your website is protected against security vulnerabilities and clean of malware. If you are using a third-party script like a shopping cart or e-commerce system, this usually means running the latest secure version.
Your website, shopping cart or e-commerce software logs payment processing transactions.
Your website must not email secure card information to you (such as the card number, cardholder's name, expiration date, CVV code, etc.). Sending cardholder data via email is insecure. Instead, it should be securely stored in a database or another secure method.
These are just some of the requirements. As you can see, certain requirements deal with how you use your website (i.e. using secure passwords) in addition to the script or website coding itself.
Using a modern shopping cart or e-commence script and employing secure passwords and procedures will usually take care of all your website coding related PCI compliance issues.
Your Company Policies and Procedures
In addition to securing the server and obtaining an SSL certificate, your internal company procedures also fall under PCI compliance. For example, if you are storing cardholder data in your office, it must be secured in password-protected computers and/or in locked filing cabinets to prevent unauthorized access. Leaving cardholder data in an unlocked filing cabinet where unauthorized people can access it is considered a violation of PCI DSS. PCI compliance goes beyond whether your server is secure or not; it also applies to paper records, printouts and employee procedures in your office.
The Bottom Line
The objective of PCI Compliance is to protect cardholder data from unauthorized access, whether it occurs through your server or through the filing cabinet in your office. Putting policies and practices in place to prevent unauthorized access to cardholder data will help to ensure that you are PCI compliant.
Need Further Assistance?
For server related PCI issues, please contact support.
For all other PCI issues, the payment processing company where you obtained your merchant account is the best resource for PCI Compliance information. They also may have specific requirements that are unique to their network. You can usually contact your sales representative or agent directly, or call your payment processing company's support hotline. Contact information may also be found on your payment processor's website.