If you accept, transmit, or store credit or debit card information, you MUST be PCI compliant.
Being “PCI compliant” means you comply with the Payment Card Industry Data Security Standard (PCI DSS). In other words, you must meet data security requirements set by the Payment Card Industry Security Standards Council. These are rules put in place to protect cardholder data and reduce the risk of fraud and theft.
If you are not PCI compliant, and you collect credit card information, you may be audited, fined, and/or lose your ability to accept credit card payments.
See also: PCI compliancy explained
What does PCI compliance mean for me?
The credit card industry has adopted strict security guidelines defined by the PCI Security Standards Council.
These guidelines ensure your business and website are secure from hacker and identity theft threats, and that your clients’ credit card information is properly protected.
Adhering to the strict PCI guidelines protects both your clients and your business. Failing to comply means that liability is passed on to you.
What do I have to do to be PCI compliant?
Your exact PCI compliance requirements will depend on the size of your business.
Your payment processing company (where you obtained your merchant account), bank, or the credit card brands you do business with will be able to provide your exact requirements.
According to minimum PCI compliance standards, however, you must:
- Maintain a secure network
- Regularly monitor and test networks
- Maintain a vulnerability management program
- Maintain an information security policy
- Implement strong access control measures
- Protect cardholder data at all times
- Never store CVV and credit card data
- Never store sensitive data in cookies
- Ensure your website supports and uses secure socket layer (SSL)
Your website will also have to pass a PCI compliance scan from a certified Approved Scanning Vendor (ASV). A current list of ASVs can be found here: https://www.pcisecuritystandards.org/approved_companies_providers/approved_scanning_vendors.php
The PCI Security Standards Council provides helpful information here: https://www.pcisecuritystandards.org/merchants/how_to_be_compliant.php
Please note: HostPapa is certified as a PCI compliant ecommerce merchant; however, it is the responsibility of each ecommerce website owner and operator to be PCI compliant. Many PCI requirements pertain to your day-to-day business activities, home or office networks, website and database design, and other items over which HostPapa has no control.
Is it possible to sell online without becoming PCI compliant?
You have two options when selling online:
- Become a PCI compliant merchant. You must be certified using a third-party certification and security vendor. Due to the nature of shared web hosting – with multiple websites sharing one server – it may be difficult for you to pass third-party certification.
- Use a company that offers PCI-compliant and third-party hosted payment pages, such as PayPal or Google Wallet/Google Checkout. These services already meet all PCI compliance requirements – by using one of them, you can quickly begin to sell your goods and services online without the hassle of becoming a fully certified PCI compliant merchant.
Paypal & Website Payments Standard
Meeting the PCI compliant merchant requirements can be costly and time consuming. Website Payments Standard handles sensitive customer information for you so you can spend your time and resources running your business and serving your customers.
Google Wallet/Google Checkout
Start accepting payments on your website in minutes by adding the Google Wallet (formerly Google Checkout) button. Customers simply click the button to pay you with the cards they have with Google Wallet. Google takes care of the payment processing and PCI compliance so you don’t have to.