Since shopping has gone digital, more consumers are purchasing clothes, shoes, groceries, and other products online. Ecommerce websites have become in-demand, opening worlds of possibilities for people trying to find ways to earn extra money. Online-selling leveled the marketing field, allowing small businesses to compete with bigger and more established companies.
With vast opportunities also come numerous security threats. Since most online transactions use credit cards, sensitive information can easily be stolen by cyber criminals if an online retailer has a weak security posture. Because of this, the Payment Card Industry Security Standards Council (PCI SSC) developed a reference guide to help online businesses ensure that their clients’ sensitive information are protected. These global data security standards are adopted by merchants, software developers, and device manufacturers covering all online businesses that process, store, and transfer sensitive authentication data.
In this article, we list down the 12 requirements eCommerce websites need to be PCI Data Security Standard (PCI DSS) compliant. We will be providing you with some useful tips on how to accomplish each one of these.
1. Install and maintain a firewall configuration to protect cardholder data
By providing ample network security controls, hackers will have a hard time stealing cardholder data. Putting up a strong firewall also ensures that traffic from untrusted networks would be denied access.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
Make sure to create new and hard-to-decipher passwords for every new device you plan to use in accessing your website. Avoid using birthdays, surnames, and other personal information as passwords, as these can easily be acquired by strangers. Passwords should be memorized and should not be left lying around written on a sheet of paper.
3. Protect stored cardholder data
Unless your business calls for it, never store cardholder data. After finishing each business transaction, authentication data should be deleted and rendered unrecoverable. A secure alternative would be to use a card reader or point-of-sale processor that doesn’t retain information on business systems.
4. Encrypt transmission of cardholder data across open, public networks
Ecommerce merchants should take extra precaution when transferring sensitive data using public networks. Use strong cryptography and security protocols to safeguard cardholder data, and avoid using WEP as a security control.
5. Protect all systems against malware and regularly update anti-virus software programs
Ecommerce website owners should constantly update their anti-virus software, anti-spyware programs, and other cyber-threat solutions. All applications should be free of bugs in order to prevent hackers from penetrating the system.
6. Develop and maintain secure systems and applications.
Install vendor-provided security patches to address vulnerabilities within the system, and place them within one month of release. Identify if newly discovered vulnerabilities are high, medium or low risk.
7. Restrict access to cardholder data by business need to know
Access to data cardholder must be on a business need-to-know basis. Limit people who can be granted access to sensitive cardholder data information.
8. Identify and authenticate access to system components
Assign a unique identification to all users (sales, operations, and administrative departments) before granting them access to critical data so that actions taken can be traced back to known and authorized users. Use strong verification methods to authenticate users.
9. Restrict physical access to cardholder data.
Critical cardholder data should be protected physically and electronically. Use facility controls to limit physical access to sensitive areas, such as the cardholder data environment. Keep media back-ups in a safe off-site location.
10. Track and monitor all access to network resources and cardholder data
Website owners need to monitor logging mechanisms so they can be made aware of suspicious user activities. These anomalies may present themselves through invalid access attempts, pausing of audit logs, or changing and deleting accounts with administrative privileges.
11. Regularly test security systems and processes.
Hackers are getting more creative when it comes to discovering a system’s vulnerability. In order to avoid breaches and data loss, eCommerce websites should regularly be tested to ensure that all security measures are updated and functioning properly. Merchants should invest in a behavioral attack detection solution to detect possible anomalies within the system and eliminate them quickly.
12. Maintain a policy that addresses information security for all personnel.
Even with a considerably smaller staff, eCommerce websites owners should still establish and maintain a security policy, to be reviewed and updated annually or when the environment changes. An incident response plan should also be put in place, should a system breach occurs.
E-commerce websites should also set their level of compliance (level 1 to level 4) depending on the estimated number of transactions they’ll have over the course of a year. The level of compliance will determine the type of assessment needed and how often it needs to be done.
Compliance with these requirements is not a one-time thing. Online businesses should remember that it is a continuous process, and should be done annually. It is recommended that every eCommerce website takes proper inventory of their transactions so that the information may be readily available come audit time.
Satisfying all the mentioned 12 requirements will not only prevent your website business from incurring fines, it can also save you from potential liabilities such as fraud losses, diminished sales due to lost client confidence. The security benefits given with maintaining PCI DSS compliance is important to the long-term success of your eCommerce website.