To deter rampant online and credit card fraud, the credit card and banking industries instituted several security rules and compliance procedures to protect consumers from becoming victims. These procedures have become standardized in the industry under the PCI DSS, which stands for Payment Card Industry Data Security Standard. PCI Compliance means that your business is compliant in the rules of the PCI DSS.
Credit card companies require all merchants accepting online payments to be PCI compliant. The responsibility of PCI compliancy is on the merchant, as well as on the hosting company and website software. While the merchant needs to follow the accepted rules in regard to storing the credit card data, the hosting company needs to ensure the servers that process the data are properly secured, and the website developer needs to ensure the website codes aren’t vulnerable to intruders who may gain access to sensitive credit card information.
There are many rules for being compliant. From the developer perspective, this includes performing periodic scans of the web server for its vulnerability status, attesting to the stability and privacy of the website codes, and making sure all credit card data is processed under SSL (that’s the little security lock in the browser’s address bar.) PCI Compliancy also requires restricting the storage of credit card information. From a merchant perspective, this also includes offline procedures such as storing any cardholder data in a locked location to prevent unauthorized access.
The web server that is hosting a website also needs to be compliant. For larger sites that have isolated hosting environments, this is usually not a big issue, but for smaller websites on shared hosting plans, this can be a problem since there are few hosting companies that provide shared hosting under PCI compliance. Two companies we know of that provide this are Hostgator and SiteGround.
While the objective of PCI compliance is to protect consumers from fraud, it has become a big burden for merchants, developers, and hosting companies. The list of requirements keeps on growing, and the attestation forms have been ridiculously cumbersome to the point where their effectiveness has been significantly weakened. Further, the PCI compliance agencies constantly find issues that are non-relevant and need to be attested for and brought forward to the hosting company for a response.
Whether you like it or not, PCI compliance is a fact of doing business online, and you have to stick to the rules. Therules are strictly enforced by the merchant providers and compliancy agencies, and violations of the rules, even on trivial matters, will result in non-compliancy fines. If you are doing business online, make sure your website, hosting, and general policies fall under PCI Compliancy guidelines. On all shopping cart and payment websites we work with, we make sure to be on top of this to ensure your level of compliance.