If you plan to run an e-commerce site, you need to be familiar with PCI compliance. PCI stands for Payment Card Industry, which is an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB). PCI establishes a set of specific rules and requirements you need to comply with if you want to accept, process, store and transmit payment card information. These set of rules are known as Payment Card Industry Data Security Standards (PCI DSS). PCI DSS first came into force in 2006 with the aim of creating a framework for managing and securing the online transaction process.
The Payment Card Industry Data Security Standard (PCI DSS) applies to organisations of any size that accept credit card payments through their website.
Since 2005, more than 340 million records have been compromised in online security attacks; 80% of those security attacks have targeted small merchants, who are ultimately the most vulnerable to the risks that online frauds can pose.
If you are planning to accept card payments, store, process and transmit cardholder data, then you need to host your data securely with a PCI compliant hosting provider. If you don’t do it, you can face fines and if fraud occurs the liability rests upon your company. It is not a recommendation, it is a requirement.
Besides being fined, not complying with PCI regulations could potentially put you out of business, especially if you are just getting on your feet and establishing your brand. A negative reputation, or even losing the ability to take credit card payments, can literally mean the collapse of your business. That’s why it is so important to safeguard yourself—or ally with someone who will.
What SSL has to do with PCI compliance?
There is a lot of confusion when it comes to SSL certificates and PCI compliance. For merchants accepting online payments, fulfilling the PCI DSS requirements is a must. Installing an SSL certificate is one of those standards.
SSL certificates protect delicate data from hackers and security attacks in general. This protection is enforced using end-to-end encryption. This means that the information entered by the customer is transformed into an unreadable format, which can only be decrypted by the merchant’s web server. In this way, hackers cannot see the information, let alone tamper with it.
When customers send their credit/debit card or banking details, there is always the risk that some sensitive data may be accessed for fraudulent purposes. This normally happens when the data is in transit from the customer’s web browser to the merchant’s web server. Cybercriminals can easily intercept and tamper with this data, if this is not protected using SSL certificates.
SSL certificates don’t only protect payment details, but also other potentially sensitive information such as emails, addresses, and most importantly login credentials.
It is really important that you get an SSL regardless of which payment processor you choose.
What should a payment getaway offer to be PCI compliant?
A payment gateway is a service offered to merchants by a payment service provider (PSP) that authorises credit card or direct payments processing for online retailers. A payment gateway facilitates a payment transaction by the transfer of information between a payment portal (such as a website, mobile phone or interactive voice response service) and the front-end processor or acquiring bank.
Sometimes payment gateways use quite confusing language to obfuscate the issue of PCI compliance.
Types of Payment Gateways
To understand how payment gateways work, we will need to divide them into four different categories. The classification of payment gateways are based on these 4 categories:
Direct gateways keep the customer completely on-site throughout the checkout process, and for this reason they are the major concern in terms of PCI compliance. With this method, the user enters their credit card details directly on your web site. This offers a better and more professional checkout experience since the user stays on your site for the entire process. Direct payment gateways also record less Abandon Cart rates since the user doesn’t navigate away from your website.
Some payment gateway integrations, which are technically ‘direct’ gateways as they keep the customer completely on your site during checkout, offer one very important addition: they use client-side encryption to remove PCI issues. They achieve this by encrypting the payment information in the browser before this is sent through your server. No sensitive information is ever passed from your site to your server or the payment processor, instead an encrypted version or a ‘token’ is sent throughout the transaction process.
An example of a direct payment method is like these:
You can take payments using forms too. All you need is, well, a form and a payment processing service. Your form will need to gather any info you need from customers—such as the colour of the item and their shipping address. For this method to work, you will need to connect your form app to a payment processor like PayPal or Stripe.
iFramed gateways use a payment form which is placed on your site. However, this form is actually hosted on another server, and it is not served from your own site. The payment form is basically embedded from a secure source even if it looks like it is part of your website. The main benefit of this method is that customers remain on your site for the entire checkout process. It looks like the checkout takes place on your site, but the payment form is actually hosted elsewhere.
Off-site gateways are the easiest to understand. They make the customers navigate away from your site to complete the payment process. This is the easiest way to start taking payments online as off-site payment gateways don’t require any PCI compliance on your side. Your online store will be PCI compliant while using one of these gateway integrations, as no sensitive information touches your site or is passed through your servers. The payment processor simply sends basic information to your website, such as whether the transaction was successful or not.
WooCommerce and PCI compliance
There seems to be a misconception about the fact that WooCommerce & plugins need to be PCI compliant. It is very important to stress that a payment gateway integration can’t achieve PCI compliance by itself. The main reason is that PCI compliance involves the whole server set up and it is a much more extensive matter then what payment gateway you use to process online payments.
Because WordPress and plugins like WooCommerce have no influence over your hosting environment, they cannot be PCI compliant on their own.
Especially if you are using a direct payment gateway, compliance requires several other steps beyond having an SSL certificate. You will need to look at your server environment as well as your website and payment gateway plugin to ensure they are all secure.
If you wish your WooCommerce site to comply with PCI, these are some steps you should take:
- Always choose a trusted, secure hosting provider – preferably one which claims and actively promotes PCI compliance. Cheap or shared hosts are unlikely to cover this.
- Implement security best practices when creating passwords and limit access to your server.
- Avoid storing credit card details, not on your server or anywhere.
- With the aid of your hosting provider, implement an SSL certificate to keep your checkout process secure.
- Keep installed plugins to a minimum.
- Keep plugins up to date to ensure latest security fixes are installed.
- Working with your payment processor, use an ASV (approved scanning vendor) to scan your site and find issues – work to fix any identified issues until you pass the scan.
If you have any questions feel free to ask below, don’t forget to do your research in making the right decisions for your business.