If you’re an online merchant, and your store accepts credit cards as payment, then you’ve probably already heard the term PCI compliance. If you haven’t, then start here, and then come back to this post.
The Payment Card Industry Data Security Standard (PCI DSS) was created by banks and credit card companies to protect their cardholders. Failing compliance can result in fines ranging between $5,000 to $500,000. Add to that the probable loss of consumer confidence, civil litigation, and suspension of credit services, and the inconvenience of maintaining PCI compliance far outweighs the cost of ignoring it.
Here’s four ways to become and stay compliant. We can’t promise they’re easy, but we can promise they’re essential.
1. Read and understand the PCI DSS, or find someone that can
This is no easy task. The PCI DSS requirements document weighs in at a staggering 139 pages. The PCI Quick Reference Guide knocks it down to 40 pages, which is hardly convenient, but does suggest the PCI might have something close to a sense of humor (spoiler alert: they don’t).
So while we urge you to read it and try to understand all of it, many smart and successful people aren’t particularly qualified to do so. As your hosting company, we can provide some assistance, but only you or a third party hired by you can assess your systems. Find a Qualified Security Assessor (QSA), a security firm trained and certified by the PCI, to guide you through the labyrinth.
2. Use a PCI-compliant hosting provider
If you’re already a Nexcess client, then you’re all set. While using us or another PCI-compliant host can’t alone make you PCI-compliant, we take great care to cover things on our end so you can focus on yours.
3. Make sure your developer is PCI-savvy
A knowledgeable developer can help bake compliance into your site. In addition, any third party with access to your systems should be following established best practices for security.
4. Do a self-assessment every year
Compliance is not a one-time requirement, and the PCI changes them every so often to address emerging threats. Take the time to complete the self-assessment questionnaire (SAQ) every year will help keep you current and committed. You can download a SAQ from the PCI DSS website.
Upon request, we also provide a PCI Responsibility Matrix that outlines exactly which standards are yours, which are ours, and which are shared. The document is available to Nexcess clients through our Support Team, and makes it easy to answer questions about your web host.
It’s rigorous, but worthwhile – think of it as exercise for your PCI-compliance muscles. Put it on your calendar during your slowest month so you can face your busiest ones with confidence.
Earned, not given
PCI compliance is required by the industries holding the keys to the eCommerce kingdom. Moreover, the holidays are a stressful time for consumers, and their trust in your brand is your greatest asset. Defend it with vigor and vigilance, and you’ll likely never have to learn the cost of regaining that trust.Posted in: eCommerce, Security