PCI compliance or more precisely PCI DSS (Payment Card Industry Data Security Standard) developed by the Payment Card Industry Security Standards Council to make the transactions and credit card data safer. This standard applies to all companies of any size if they accept credit card payments.
The Payment Card Industry Security Standards Council was formed in 2006, but first programs to create a security standard were started earlier individually by the largest credit card companies like American Express, Discover Financial Services, JCB International, MasterCard and Visa Inc.
Individual security programs developed before PCI DSS
- Visa – Cardholder Information Security Program
- MasterCard – Site Data Protection
- American Express – Data Security Operating Policy
- Discover – Information Security and Compliance
- JCB – Data Security Program
Even though the biggest credit card industry players established a universal standard, they apply the Data Security Standard in their own way, but the compliance with PCI DSS is enough for most of the companies to do the credit or debit card transactions.
Payment Card Industry Data Security Standard (PCI DSS)
PCI-DSS or Payment Card Industry Data Security Standard is a set of requirements needed to be in compliance with the standard. PCI DSS evolved since its introduction and the latest version was released in May 2018.
History of PCI DSS versions
- Version 1.0 was released on December 15, 2004.
- Version 1.1 in September 2006 provide clarification and minor revisions.
- Version 1.2 was released on October 1, 2008. It enhanced clarity, improved flexibility, and addressed evolving risks and threats.
- Version 1.2.1 in August 2009 made minor corrections designed to create more clarity and consistency among the standards and supporting documents.
- Version 2.0 was released in October 2010.
- Version 3.0 was released in November 2013 and was active from January 1, 2014 to June 31, 2015.
- Version 3.1 was released in April 2015, and has been retired since October 31, 2016.
- Version 3.2 was released in April 2016, and it will be retired on December 31, 2018.
- Version 3.2.1 was released in May 2018.
PCI compliance requirements
PCI Data Security Standard specifies twelve requirements for compliancem. These requiremens are divided into six groups.
|1. Build and Maintain a Secure
Network and Systems
|1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
|2. Protect Cardholder Data||3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
|3. Maintain a Vulnerability Management Program||5. Protect all systems against malware and regularly update anti-virus
software or programs
6. Develop and maintain secure systems and applications
|4. Implement Strong Access Control Measures||7. Restrict access to cardholder data by business need-to-know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
|5. Regularly Monitor and Test Networks||10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
|6. Maintain an Information Security Policy||12. Maintain a policy that addresses information security for all personnel|
WooCommerce PCI compliance
Before we proceed with the details, we need to answer one simple, but quite a favourite question – “Do I need PCI compliance for my WooCommerce online store?”. The answer is YES! Even if you accept credit cards and only allow payments such payment methods like Paypal or even cash on delivery, PCI compliance makes your site safer for your users. Don’t forget you’re dealing with sensitive personal data and it is more valuable. As the owner of the online store, you must make maximum efforts to protect your customer’s personal data and payment details.
Now you need to understand that PCI compliance compatibility lies in the details. It’s not a thing or some part of the source code, it’s strict adherence to rules and management of all processes involved in the payment process. WooCommerce is not PCI-DSS certified. However, it doesn’t mean that you can’t have your WooCommerce compliant with PCI-DSS. You just need to choose proper components for your WooCommerce store and keep up with requirements.
|1. Install and maintain a firewall configuration to protect cardholder data||Just choose a reliable hosting provider which offers PCI compliant hosting services.|
|2. Do not use vendor-supplied defaults for system passwords and other security parameters||Make the strong passwords as requirement for client accounts, don’t forget to use the strong passwords for administrator account.|
|3. Protect stored cardholder data||Well, just don’t store any credit card data. By default WooCommerce doesn’t store credit card data.|
|4. Encrypt transmission of cardholder data across open, public networks||Make sure you have a SSL certificate installed and forced for all website pages. Remember it’s good for your SEO too.|
|5. Protect all systems against malware and regularly update anti-virus software or programs||It should be handled by your hosting provider, but as an extra measure you could use extra tools.|
|6. Develop and maintain secure systems and applications||Server side systems and applications should be managed by your hosting provider, but you must keep your website software safe and up to date.|
|7. Restrict access to cardholder data by business need-to-know||Make sure only accredited people can access user data stored on your online store.|
|8. Identify and authenticate access to system components||All activity must be logged constantly and easy to analise like user accounts that accessed sensitive data.|
|9. Restrict physical access to cardholder data||It’s a hosting provider responsibility.|
|10. Track and monitor all access to network resources and cardholder data||Also hosting provider reposnibility.|
|11. Regularly test security systems and processes||Use an approved scanning vendor to make regular checks of your site for issues and security problems.|
|12. Maintain a policy that addresses information security for all personnel||It’s your reponsibility to create, maintain and distribute a policy on addressing the PCI-DSS requirements, as well as a risk assessment.|
If you’re not comfortable by implementing all the PCI-DSS requirements you can choose a payment gateway that will handle all the payment procedures for you and all necessary data will be entered outside your WooCommerce store. However, some of the PCI-DSS requirements are directly related to the overall level of security of your site. We recommend that you use as many solutions and tools as possible to ensure a higher level of website security.