Is BusinessAhead eCommerce PCI Compliant?
The quick answer is Yes.
What is PCI Compliance?
In order to accept credit card payments online or offline, you must comply with the credit card associations and networks rules concerning data security, with the objective to protect cardholder data. This has been standardized throughout the payment processing industry under the PCI Data Security Standard (PCI DSS).
You are required to be PCI compliant if you accept any payment cards such as American Express, Discover Network, Diners Club International, JCB, MasterCard and Visa. This includes credit cards, debit cards, prepaid cards and gift cards.
When you accept payment cards online through a merchant account, some of the details of PCI compliance are handled by your web host, some are handled by your merchant account provider (payment processor), and some aspects are handled by you (the merchant).
Server PCI Compliance
This component is handled by us. All of our servers have been updated for PCI compliance. If you experience any issues, request a scanning vendor to email you a report and then provide it to us so we can resolve the issues that conflict with compliance.
Payment Processing Company PCI Compliance
This component is handled by your payment processing company. They are responsible for maintaining their own secure network environment.
We recommend CCAvenue payment processor for our ecommerce clients. CCAvenue has achieved the new PCI DSS 1.1 Standards of Compliance, which makes it one of the most secure payment gateways in the world. As per PCI norms, the credit card numbers are not stored anywhere in our or in CCAvenue's database.
SSL / Secure Certificates
In addition to the servers being PCI compliant, the credit card associations and networks also require that you use SSL whenever you transmit credit card information, such as the card number, card holder's name, expiration date, CVV code, etc. This happens when a customer enters their credit card details on your payment page. This is an important part of making your website PCI compliant. If you are not collecting such sensitive data at your website and instead letting your payment processor's website collect this data, then you do not require to implement SSL at your website.
Shopping Cart / Order Page / Website Coding
The shopping cart or order page code used on your website is required to be PCI Compliant as well. Some of the items required to be PCI compliant include:
- The use of complex and unique passwords to access the e-commerce systems to prevent unauthorized access.
- Be sure not to use the default passwords that came with your shopping cart or e-commerce software or POS system.
- Only authorized staff members can access cardholder data.
- Your website is protected against security vulnerabilities and clean of malware. If you are using a third party script like a shopping cart or e-commerce system, this usually means running the latest secure version.
- Your website, shopping cart or e-commerce software logs payment processing transactions.
- Your website must not email secure card information to you (such as the card number, card holder's name, expiration date, CVV code, etc.). Sending cardholder data via email is insecure. Instead, it should be securely stored in a database or another secure method.
These are just some of the requirements. As you can see, certain requirements deal with how you use your website (i.e. using secure passwords) in addition to the script or website coding itself. Using a modern shopping cart or e-commence script and employing secure passwords and procedures will usually take care of all your website coding related PCI compliance issues.
When you buy our BusinessAhead eCommerce website solution, all of the above aspects are taken care by us.
Your Company Policies and Procedures
PCI compliance goes beyond whether your server is secure or not. It also applies to paper records, printouts and employee procedures in your office. In addition to securing the server and obtaining an SSL certificate, your internal company procedures also fall under PCI compliance. For example, if you are storing card holder data in your office, it must be secured in password protected computers and/or in locked filing cabinets to prevent unauthorized access. Leaving card holder data in an unlocked filling cabinet where unauthorized people can access it is considered a violation of PCI DSS.
Essentially, the objective of PCI Compliance is to protect card holder data from unauthorized access, whether it occurs through your server or through the filing cabinet in your office. Putting policies and practices in place to prevent unauthorized access to card holder data will help to ensure that you are PCI compliant.