Xumulus Blog

PCI compliance tips for e-commerce businesses

Payment Card Industry (PCI) governs PCI compliance standards, which are the set of actions that must be taken to protect credit card information during transactions, have undergone changes recently that may affect how e-commerce businesses secure the financial data of their clients.

The most recent PCI Data Security Standard (DSS) update (version 3.2) went into effect on Feb. 1, 2018, after the end of a transition period that began on Oct. 31, 2016 (when DSS version 3.1 officially expired). The transition period was designed to give businesses the time to update how their websites secured their data.

How will e-commerce websites be affected?

PCI DSS version 3.2 is an update of the guidelines released in 2013 and affects both how e-commerce merchants must secure cardholder data and how service providers detect and report failures. As such, e-commerce businesses must update their payment processes and security measures to ensure that they conform to the new standards. In total, version 3.2 has over 80 unique changes, although only nine have a substantial impact.

The following summarizes some of the changes to PCI DSS:

    • Service providers
      Many of the changes in version 3.2 affect service providers, such as a requirement to detect and report on critical control system failures (requirements 10.8 and 10.8.1) and a requirement to perform biannual penetration testing on segmentation controls (requirement 11.3.4.1).
    • Multifactor authentication
      Multifactor authentication is now required for all personnel accessing cardholder data. These authentication methods can include passwords, token keys or biometrics.
    • E-commerce redirection
      Self-assessment questionnaires (SAQ) and reports on compliance (ROC) used by e-commerce businesses for PCI compliance validation now contain additional requirements focusing on e-commerce redirection servers.

Tips to keep your e-commerce business PCI compliant

  1. Update your website as soon as possible
    PCI DSS version 3.2 is already in full effect, so if your business has not updated its practices to reflect the update, do so as soon as possible to prevent cyber attacks that could lead to data breaches.
  2. Plan regular PCI compliance reviews
    Once you ensure your website is up to date with compliance standards, document your company’s security policies and schedule time to review them regularly (such as once per quarter) to ensure your business remains PCI compliant. This is important because, as a recent study on data breaches revealed, many companies view PCI compliance as something that could be checked infrequently after implementation, rather than ensuring it is enforced, which could create holes in security.
  3. Use secure encryption
  4. Convert from “http” to “https” to improve your security and protect your clients’ information. This is also important because Google will warn potential clients if a website is not secure, which could hurt sales.
  5. Consider outsourcing payments
  6. PCI compliance may seem complicated, but it doesn’t have to be! Many e-commerce websites outsource their payment pages by redirecting their clients to PayPal (or a similar third-party payment processing site) to reduce their security risks.
  7. Consider outsourcing compliance
    If you want to keep payment processing in-house but are unsure if your business is PCI compliant, you can reach out to the experts at Xumulus, a Chicago-based e-commerce and web development agency, to find out more about implementing PCI compliance best practices.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.