What is it?
Major credit card companies have regulations that you must follow to protect customer's private information from falling into the wrong hands. If you collect payment information you must follow these regulations, even if you don’t process the payment yourself.
Payment Card Industry Data Security Standards (PCI-DSS) include the use of a website firewall and an SSL certificate. These regulations ensure the secure transmission, storage, and handling of cardholder information.
Why do I need it?
You don’t want your visitors hurt because they visited your site and trusted you with their personal information. And if the credit card companies find out you are violating the PCI-DSS regulations, there are penalties and consequences. These can include fines, suspension of ability to process credit card payments, and liability for fraud charges.
What do I need to do?
Reduce your attack exposure
With PCI-DSS, everything is about reducing opportunities for bad actors to get cardholder data. Even if you use a third-party payment processor such as Stripe, Recurly, or PayPal, you must follow the PCI-DSS requirements.
Here’s a few quick tips to secure payments on your ecommerce website:
- Reduce the number of people that can make changes to your site and online store, or access customer information.
- Use good passwords and two-step verification.
- Update your CMS and plugins regularly to avoid vulnerabilities.
- Reduce third-party components, such as plugins, extensions, or themes.
- Install software from reputable sources only.
- Keep your server software up-to-date.
Whenever you add new features or components to your website, you’re also introducing potential for a vulnerability which can be exploited.
PCI compliance & secure payments
To maintain compliance, ensure that your website and payment processing meets PCI-DSS Council requirements. Use the PCI Compliance Checklist to ensure you're fully compliant.
Many online stores use a reputable payment gateway to help process credit card payments and transactions. While this can cover some PCI requirements, you're still responsible to make sure everything complies.
For websites running managed stores, like Websites + Marketing Online Store, the server and all its software are proprietary — meaning you will not be held liable for security configurations.
You should still be familiar with the PCI-DSS standards, as they also apply to handing credit card data in person or over the phone. You’ll also want to use good passwords and two-factor verification to protect your online store from being hijacked.