The 21st century witnessed a lot of growth in the online retail industry. This industry, being the most talked about, has spurred a lot of activity in parallel industries such as ecommerce software vendors, online payment, third party fulfillment service providers, security and more. Each of these industries has played an important role as factors contributing to the success of eCommerce. In this blog we will discuss a very important aspect of the eCommerce businesses – PCI Compliance.
As most online transactions today happen through credit and debit cards and with this information being saved by online merchants, there is a possibility of hackers leveraging the shortcomings in eCommerce systems and exploit them. To curb and stop this exploitation, major financial corporations like Visa, MasterCard, American Express, JCB, PayPal and Discover have put in place guidelines, to mitigate this risk, called the Payment Card Industry Data Security Standard (PCI DSS). This guideline recommends websites certain security policies to protect information of cardholders and their cards during and after the final transaction. Merchants’ eCommerce store when adheres to these guidelines becomes PCI Compliant making the eCommerce store safe for customers to transact.
In order to get PCI compliant, any merchant must:
Build and Maintain a Secure Network
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
- Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
- Use and regularly update anti-virus software
- Develop and maintain secure systems and applications
Implement Strong Access Control Measures
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
Regularly Monitor and Test Networks
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
Maintain an Information Security Policy
- Maintain a policy that addresses information security
How to be PCI Compliant?
To get PCI compliance one needs to follow a few steps that mirror the best security practices. The steps are three, but can be considered one ongoing/continuous process.
- First step would be to assess. You would have to analyze vulnerabilities of your IT asset (read website); recognize loopholes that would give hackers a chance to exploit.
- Second step would be to remediate (monitor and fix). Fix all the vulnerabilities that were found in the first step.
- The third step would be to report. In case you find any irregularities in the above-mentioned steps, your first point of action should be reporting it to the designated authorities i.e. banks.
This has been a blog on what is PCI Compliance and what does it take to get PCI compliant. What are your thoughts on it? Share your feedback and suggestions by commenting below. Alternatively, you can write to us at firstname.lastname@example.org