If your running an E-commerce website that accepts credit cards – then just the title of this blog will bring back painful memories of a long drawn-out, very costly process.
If you haven’t heard of PCI DSS compliancy – then we suggest you continue reading. Otherwise you too may end up facing the same scenario as many have before you.
The most painful part is: After all is resolved – you realise it all could have been avoided if you were prepared!
So what is PCI Compliancy all about?
PCI DSS stands for (Payment Card Industry Data Security Standard). It was introduced back in December 2004 when a group of companies realised they had the same goals. Each companies mission was to protect large card providers by making sure their merchants proved they had security measures in place and constantly in mind as they store, process and transmit credit card data.
They grouped their companies together, each keeping their own identity, but providing one single directive that all online business owners who accept/store card information via their website must comply with.
The PCI DSS Process:
As your business starts growing and taking more income – you will be notified by your payment processor that you must prove to be PCI Compliant.
You will be offered a choice of PCI Compliancy providers to sign up to. Many of our clients have chosen TrustWave, which seems to be the most popular of the options so far.
Once you select a provider and sign up they will send you a username and password to log into your new account at any time to follow your progress.
The next steps are broken in two parts:
Part 1: Web Hosting Server Scan.
By law your website must be hosted on secure web hosting servers that prove to be modified to the highest standard to accommodate e-commerce websites that currently or plan to take payments via credit card.
Your website hosting will be scanned for compliancy and a report will be generated to confirm if the server is safe for transmitting sensitive information. Additional requirements for email need to be put in place.
If items are flagged up in the report as vulnerabilities your web hosting provider will need to make changes to the server, which can take many weeks to resolve due to the providers current commitments, deadlines and in many cases – knowledge of the hosting server technology.
Part 2: Self Assessment Questionnaire.
You will log into your PCI Compliancy Providers account using the username and password they sent to your email address upon registration.
Based on our knowledge of TrustWave – the self assessment questionnaire is broken down into 6 sections.
- The first three sections are questions that you will need help with from your web hosting provider.
- The Forth section is about your devices/computers that connect to your website.
- The final two sections require you to provide information about your business practices. For example; how hardcopy information is stored and the legal policies you have in place.
Once Part 1 proves successful and all sections of your questionnaire are complete you will be deemed as PCI Compliant and able to continue trading as normal.
[icon name= icon-info-sign] Don’t forget to contact your payment processor to let them know.
It doesn’t end there!
As long as you accept payment via credit card and are signed up to a PCI Compliancy Provider – they will check on you throughout the year to make sure your web hosting server is still compliant and your other information is still up to date.
The DigitalConfig Fast Track Checklist:
The above process may seem simple because we have explained it, but without the right support from those with experience of PCI Compliancy – certain items can take too long to resolve.
We have helped many customers who have waited months to resolve this, all while being charged a non compliancy fee or in worst cases not being able to withdraw funds from their accounts.
So we decided to create a simple list that will help speed things up:
- We recommend that as soon as you consider accepting card payments via your website – you switch hosting providers to one that promotes they are PCI compliant. Just like us.
- Once your website is on your new hosting – log into your PCI Compliancy providers website and request another scan on your hosting server.
- Email new hosting providers and ask them the questions about the hosting security that you are asked to answer in your self assessment questionnaire.
- Assess all devices that you and employees use to connect to the website and make sure they are updated with the latest security patches/fixes. i.e. Windows updates on computers. Full antivirus software must also be installed.
- Provide information of how you store hard copy information and legal policies in place.
- Don’t forget to contact your payment processor to let them know.