Last Updated: February 23th, 2024
Every ecommerce website, regardless of its size or the volume of transactions, must comply with the standards set forth by the Payment Card Industry Data Security Standards (PCI DSS). These crucial guidelines are mandated by major credit card companies to guarantee the secure processing, storage, and transmission of cardholder information.
As the owner of an online store that accepts credit card payments, it is your responsibility to protect the sensitive data of your customers. This applies to anyone who accepts payment data, from the largest corporations to the smallest local small businesses. In essence, PCI compliance is about safeguarding all card transactions and customer data.
This guide will explain the goals and requirements of PCI compliance, best practices for securing ecommerce websites, and tactics to combat threats against online stores. We’ll also explain how Sucuri can help you meet regulatory requirements and protect your data.
The Payment Card Industry Data Security Standard (PCI DSS) is a globally accepted set of technical and operational requirements put in place to ensure the protection of cardholder data provided by customers. Created by a global organization known as the PCI Security Standards Council, which is formed by major credit card companies such as Visa, Mastercard, Discover, and American Express, these standards are mandatory for any business that accepts credit card payments.
PCI DSS covers a broad spectrum of practices like restricting access to cardholder information and creating secure and non-default passwords, to more advanced strategies like encryption and the use of a firewall. The primary aim of PCI compliance is to reduce the attack surface, especially in the Card Data Environment (CDE) — how credit card information is handled on your website. This obligation to adhere to the PCI DSS requirements applies even if you use secure payment services such as Stripe, PayPal, or Recurly.
Being PCI compliant demonstrates your business’s commitment to safeguarding your customers’ credit card information while actively working to prevent credit card fraud and potential data security vulnerabilities.
For example, imagine you run a busy ecommerce store that sells handmade jewelry. The practices defined in PCI DSS ensure that your customers’ credit card data remain safe every time they make a purchase.
Small merchants are not excluded from PCI DSS requirements, either. Unprotected ecommerce websites are prime targets for data thieves. If sensitive customer data or cardholder information is stolen from any website that you’re responsible for, you could incur penalties, large fines, and even lose the ability to accept payment cards.
Important disclaimer: This is not legal advice.
Trust is the key to your online business. If a security incident occurs, it can wreak havoc on traffic, revenue, and brand reputation. The unfortunate reality is that ecommerce websites are frequent targets for cybercriminals looking to steal sensitive customer data and credit card information.
How big of a target is your ecommerce website? With automated scripts, hackers can find websites with an online store, scan for vulnerabilities, and gain unauthorized access.
Small web stores with few sales aren’t exempt — criminals are opportunists and will target any accessible websites or server resources. It is often easier to hack a thousand small ecommerce websites than it is to hack one large online retailer.
Ecommerce websites are susceptible to a number of risks and threats:
Because there will always be some level of risk, security is a continuous process. A proper ecommerce security strategy requires frequent assessment and diligence.
The latest version of PCI DSS is version 3.2,1 released May 2018. The requirements are divided into multiple sub requirements and hundreds of actions. At first glance, meeting all of these requirements can feel like a daunting task.
As we discuss each of these requirements further, remember, these aren’t just rules to tick off a box but are crucial and functional steps towards ensuring the security of your business and website.
Let’s take a look at the goals and requirements table first.
Goals | PCI DSS Requirements |
Build and Maintain a Secure Network and Systems | 1. Install and Maintain Network Security Controls 2. Apply Secure Configurations to All System Components |
Protect Account Data | 3. Protect Stored Account Data 4. Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks |
Maintain a Vulnerability Management Program | 5. Protect All Systems and Networks from Malicious Software 6. Develop and Maintain Secure Systems and Software |
Implement Strong Access Control Measures | 7. Restrict Access to System Components and Cardholder Data by Business Need to Know 8. Identify Users and Authenticate Access to System Components 9. Restrict Physical Access to Cardholder Data |
Regularly Monitor and Test Networks | 10. Log and Monitor All Access to System Components and Cardholder Data 11. Test Security of Systems and Networks Regularly |
Maintain an Information Security Policy | 12. Support Information Security with Organizational Policies and Programs |
So, what are the requirements in the PCI DSS table and what do they mean, exactly? Let’s take a closer look at each requirement and outline some of the steps you can take to meet them.
This first requirement directly relates to securing and documenting your network. Depending on your skill level, you can do it yourself or find an affordable service provider who can help.
If you are going through the PCI assessment process, we recommend that you follow these steps:
Completing these steps will help you meet the requirements for knowing your web assets, as well as restrict and separate access between environments through a firewall.
PCI Requirement 2 states that you should not use vendor-supplied defaults for system passwords and other security parameters. By fulfilling requirements 1 and 2 of the PCI DSS, you are meeting the goal to build and maintain a secure network.
Here are our suggestions for fulfilling PCI requirement 2:
Requirement 3 of the PCI-DSS states that you must secure cardholder data. Many online stores use a reputable payment gateway to help process credit card payments and transactions. While this can help you lift some PCI requirements, it doesn’t mean you’re off the hook entirely!
The best way to meet this requirement is to use a trusted payment gateway and not store credit card details. By only maintaining customer IDs and successful payment confirmations, you significantly reduce the impact of a compromise.
Another important (and sometimes overlooked) recommendation is to enact strong policies with employees and colleagues by enforcing proper security practices.
Caution
Requirement 4 of the PCI-DSS states that you must encrypt transmission of cardholder data across open, public networks.
SSL/TLS is the technology used for securing and encrypting sensitive data as it travels between two systems. While technically different protocols, the term “SSL” is commonly used to refer to any encrypted HTTP connection, including TLS. When using an SSL certificate, the website can be accessed over HTTPS rather than HTTP.
As a website that accepts payments, using TLS v1.1 and higher is mandatory for PCI compliance. Encrypting sensitive data like credit card numbers, card holder information, and passwords protects your customers and prevents fraudulent transactions and data breaches.
The use of TLS prevents man-in-the-middle attacks (MITM), which occur when bad actors secretly intercept and possibly modify sensitive user data and credentials via insecure networks.
SSL certificates are also good for establishing and maintaining trust. This allows the green padlock icon to be visible in the browser address bar.
SSL Certificates
Using SSL can also improve your SEO rankings. Search authorities like Google have encouraged webmasters to secure their websites by ranking sites with HTTPS higher than those without certificates.
Many hosting providers offer free and paid SSL certificates. They may even help implement certificates for you. If you’re a Sucuri Firewall user, we offer free certificates by default.
PCI DSS Requirement 5 states that you must protect all systems against malware and regularly update antivirus programs. Under most circumstances, bad actors don’t manually hand-pick websites to attack since this is very time consuming. The majority of attacks against websites are automated and performed by bots who are looking for websites with known vulnerabilities.
In order to comply with PCI Requirement 5, we suggest the following:
Solutions like Sucuri can help detect and block malware threats at the site and server levels, but you’ll need to employ an antivirus on the computers of anyone who accesses the site and its data. You’ll also need to protect against attack vectors outside of the site directory, including access via SSH and FTP.
PCI Requirement 6 states that website owners must ensure system components are protected from known vulnerabilities and common coding vulnerabilities must be addressed.
It doesn’t matter if you’re just starting out and your website is small with very little traffic. If you have a vulnerable CMS, extension, plugin, or theme on your website you will likely be identified by a malicious bot at some point in the future.
By keeping your website software and system components patched and up to date, you are not only mitigating the risk of automated attacks, but also ensuring PCI compliance.
If you are unable to update a vulnerable theme or plugin for your CMS, you can still mitigate exploitation attempts with a firewall that offers virtual patching to prevent the exploitation of known vulnerabilities.
We recommend that you take a look at our firewall features to learn how you can utilize one to secure your website, protect your CDE, and maintain compliance.
PCI Requirement 7 states that you must restrict access to cardholder data by business need-to-know. This means configuring your systems so that they’re only accessible to authorized individuals.
In order to comply with Requirement 7 you should:
PCI Requirement 8 states that you assign a unique ID to each person with access to system components so you can limit their access and monitor their activities.
Here are some ideas to help comply with Requirement 8:
Note
PCI Requirement 9 states that you must restrict physical access to cardholder data. This is especially important for anyone that has onsite personnel or staff or physically stores all of their cardholder data without a third party.
Physical access can refer to:
Maintaining strict controls can help identify individuals who physically access areas storing cardholder data. This is also important for protecting personally identifiable information, especially if you need to comply with the requirements of the General Data Protection Regulation (GDPR).
Here are some key restrictions to minimize risk:
Steps must be taken to destroy cardholder information contained on electronic devices. Dispose of hard copies via paper shredding. Failure to do so can result in a major data breach, leading to a negative reputation and expensive fines after an investigation.
One thing to consider is “dumpster diving”. This is where bad actors search through trash and recycle bins to search for devices that may contain data. If they happen to find a tossed, unencrypted USB drive that wasn’t wiped prior to disposal or a paper that wasn’t shredded finely enough; the consequences can be major.
Using strong, unique passwords on your website, restricting the privileges available to users through assigned roles, and enabling two-step or multi-factor authentication is mandatory for PCI compliance. This reduces the risk of a website compromise or data breach by a bad actor.
If you own a website and collaborate with others, the principle of least privilege is a very solid principle to adhere to. This computer science principle has applications and benefits to strengthen your website security.
Caution
PCI Requirement 10 is one of the most important requirements for PCI compliance. This requirement explicitly states that you must implement audit trails and review logs to monitor your web assets and identify a compromise or data breach.
The intent of PCI Requirement 10 is to essentially determine the “who, what, where, and when” of users accessing your data processing resources and website environments. Knowing this information is critical in the event that sensitive information (like credit card data) goes missing.
If you fail to properly log all internal and external users, you may be unable to pinpoint a breach timeline or identify who is responsible for a compromise.
A number of different website monitoring solutions can help look for indicators of compromise (IoC), which can include malware, obfuscated JavaScript injections, cross-site scripting, phishing, backdoors, drive-by-downloads, spam SEO, defacement, malicious redirects, or conditional malware. Integrity monitoring can also help verify the files on your website and alert you of any suspicious changes to DNS settings, SSL certificates, or modifications of core files.
Note
PCI Requirement 11 states that you must regularly test security systems and processes. This includes scanning and reporting on potential vulnerabilities in your network both externally and internally.
Bad actors and researchers alike continue to uncover vulnerabilities, especially with the introduction of new software. For example, recently WordPress published a near-immediate patch after Gutenberg’s official debut.
We recommend the following to help comply with PCI Requirement 11:
To account for this, you should take full advantage of a Web Application Firewall (WAF) that can also function as a virtual patching tool.
PCI Requirement 12 is to maintain a policy that addresses security for all personnel. This policy must be reviewed annually (at least) and include a risk assessment process, incident response plan, and usage policies.
This requirement is broken into several sub-requirements:
If you’re using WordPress, you can use Sucuri’s free WordPress security plugin to monitor file changes, review audit trails, apply hardening features, and detect malware.
If a merchant is found to be non-compliant with the PCI-DSS, there can be a variety of penalties & consequences ranging from fines, loss of time, and reputation damage.
Non-PCI compliant websites can suffer hefty penalties by payment industry regulators if customers experience fraudulent transactions. As of 2023, the global average cost of a data breach was 4.45 million US dollars while in the United States average costs were a hefty 9.48m.
Under GDPR, any business that experiences the breach of EU residents’ personal information has 72 hours to notify supervisory authorities or risk facing heavy fines. This regulation joins a number of US federal and state laws which hold organizations accountable for the security of customer data.
Perhaps worse than fines, the ability to process credit card payments may be revoked. The PCI standards are created by the major credit card companies, and this is their defense against irresponsible merchants. If a data breach occurs for your ecommerce store, the PCI council can revoke the privilege of using their payment cards.
Merchants suspected of a data breach are required by the PCI-DSS to undergo a mandatory forensic examination, which requires hiring professionals and conducting a time-consuming investigation. A forensic examination may cost between $10K to over $100K depending on the size of your business.
If a compromise of financial information is suspected, a number of states require the merchant to notify customers and inform them of the breach. Merchants may also need to produce up to a year’s worth of credit monitoring or counseling services to affected customers.
Lawsuits may claim liability on merchants for security breaches. It is important to emphasize that protecting your customer’s sensitive information is your responsibility as a business owner. That is why having a secure website is vital.
Card issuers may require merchants to pay the cost of reissuing credit cards, which includes shipping, activation, and communication to the customer. These fees can range from $3 to $10 per card.
In order for a website to accept credit card transactions again, a complete PCI reassessment by an external Qualified Security Assessor (QSA) must be performed.
In the US, businesses are also held accountable for the security of customer data by several federal and state laws. So, it’s in your best interest to abide by the rules to protect your customers, online business, and reputation.
The cost of achieving PCI compliance for your online store can vary. Factors such as the size and type of business, current security infrastructure, and existing level of PCI compliance play a role in determining the cost.
Here’s what you need to take into account before you even start the process for PCI compliance:
Your organization setup and number of card transactions will dictate your costs. Let’s look at the estimated costs for achieving PCI compliance for each business level:
While the expenses may seem hefty, remember, they are significantly less than the potential costs of non-compliance, which may include substantial fines, brand damage, and remediation costs.
Non-compliant ecommerce websites often suffer hefty penalties by payment industry regulators if their customers complain about fraud after using the site.
If a data breach occurs for your ecommerce store, you may even have the ability to accept payments by credit cards suspended or revoked.
There are also non-monetary damages that can be extremely detrimental for your business and reputation.
A 2023 report conducted by IBM showed that:
These statistics highlight how critical PCI DSS compliance is for all e-commerce businesses, protecting both the business and its customers from potential data breaches and ensuring secure and trustworthy transactions. Understanding and implementing these guidelines may seem challenging, but it’s essential for protecting your and your customers.
A key tool that can make this task easier is the Sucuri web application firewall. The firewall not only provides a strong line of defense against threats but also aids in meeting PCI DSS requirements related to safeguarding your site against malware, securing your systems, and maintaining the overall integrity of your online store.
If you need help securing your online store or implementing a website firewall, contact us for a free consultation.
Share
Trusted by Industry Leaders