How To Achieve PCI DSS Compliance for Your WordPress eCommerce Store
In this definitive post, we dive into the relationship between WordPress eCommerce websites and PCI DSS compliance and how you can achieve it
After establishing your eCommerce business on WordPress, it’s exciting to think of your profits and sales. However, your business can quickly plummet, mainly if you accept credit cards without the right compliance. Given the nature of online stores, you likely use credit card payments in your business. To ensure that you protect your clients and business, look into PCI DSS compliance. In this definitive post, we dive into the relationship between WordPress eCommerce websites and PCI DSS compliance and how you can achieve compliance for smooth business operations.
What is PCI DSS Compliance?
PCI DSS standards or Payment Card Industry Data Security Standard is a regulation that seeks to ensure the security of credit card information, especially in the online world. Even if you only accept payments through Stripe and PayPal accounts, your WordPress e-commerce store should be compliant. All merchants, regardless of size and transaction, require PCI DSS compliance as long as they accept, process, store, or transmit card data. Think of it as having a seat belt in your car. Even if no one might force you to wear it, the substantial consequences of non-compliance apply.
Payment Card Industry Security Standards Council (PCI SSC) oversees compliance regulations. This organization comprises of five significant credit card companies: Visa, Mastercard, JCB, Discover, and American Express. The council came into being on September 7, 2006, to protect card information and improve online payment security.
PCI DSS Compliance for WordPress eCommerce Sites
Fortunately, since most WordPress stores use third-party electronic payment systems such as PayPal and stripe, the compliance process is shorter than usual. However, it’s good to be aware of the regulations and how they may apply to you should you choose to expand or switch the nature of your business. As a WordPress e-commerce store operator, completing the Self Assessment Questionnaire (SAQ) is enough.
What Are The Merchant Levels On PCI DSS Compliance?
The PCI DSS standard lists four levels for merchants.
- 1: More than 6 million card transactions per year.
- 2: 1 to 6 million card transactions per year.
- 3: 20,000 to 1 million card transactions per year.
- 4: Less than 20,000 card transactions per year.
While these levels apply to all transactions, American Express, JCB, and Discover have additional requirements. After determining the level of compliance, you can take the SAQ.
What Is The PCI DSS SAQ?
The SAQ is a validation document that helps you as a merchant to check your compliance. There are several formats available, depending on how you handle your payments. Once you complete the SAQ, you should also fill an Attestation of Compliance. For this step, it’s crucial to have support from an expert who can take you through the right questionnaire and ensure that you comply with all stages.
What Are The PCI DSS Requirements for a WordPress Site
The PCI SSC released the latest version – PCI DSS 3.2- which replaced version 3.1. The document took effect in January 2018, though there are already plans to release version 4.0. As a merchant, it’s crucial to look out for the latest standard to ensure that you remain compliant. However, for now, we focus on the current and available version 3.2.
PCI DSS has 12 requirements that fall under six goals, as described below.
Build And Sustain Secure Networks And Systems.
- Installing a firewall that protects cardholder information.
- Changing all default passwords on software, devices, and systems.
Protecting Cardholder Data PCI DSS Compliance For eCommerce
- Protection of cardholder data.
- Encrypting cardholder data on public networks.
Having a Vulnerability Management Program
- Protecting your systems against malware with regular software and antivirus updates.
- Developing and maintaining secure systems and software.
- Restricting access to cardholder data to a need-to-know basis.
- Use identification and authentication measures to control access.
- Control physical access to cardholder data.
Monitoring and Testing
- Track and monitor all network access to cardholder information.
- Conduct regular tests and screening of systems.
Information Security Policy
- Maintaining a security policy that addresses all measures to protect cardholder data.
Maintaining a PCI DSS Compliant Website
The PCI DSS standard is a general standard for all businesses that process credit card data. Therefore, it’s essential to understand how to implement compliance for your WordPress e-commerce store. What’s more, the method may vary among different WordPress stores, so a copy-paste move may not work.
Requirement 1: Installing a firewall that protects cardholder information.
The firewall acts as a barrier between your site and visitors. When configuring a firewall for your website, there are several issues to consider. First, you need to identify all servers, network devices, and services that interact with your website. With a comprehensive list, you can determine where you need the firewalls.
Second, when configuring the firewalls for various devices, you need to block both the incoming and outgoing to help you only allow what is necessary. Once you set the firewalls but are unsure if you should allow a user and service entry, first do the research. You should always be sure of any access you allow on your website. Lastly, remember to document all your configurations and continuously update them.
Requirement 2: Changing all default passwords on software, devices, and systems.
Many merchants make the mistake of relying on vendor-supplied passwords for security. However, you should always change the default passwords on all products, regardless of whether you use them on WordPress or not.
Along with changing the passwords, it’s also advisable to isolate your services. For example, you can buy and host your domain, set up your DNS, host your website, set up and host email services, and host your tests on different service providers.
It’s also essential to limit your plugins to important ones. When selecting plugins, always check their source and only use trustworthy ones. If you have any unnecessary plugins and themes, disable and remove them immediately. Lastly, after installing any hardware and software that works with your website, find out how to harden their security from the manufacturer or your security provider if you have one.
Requirement 3: Protect cardholder data.
If you run an e-commerce store, you most likely rely on a third-party payment gateway such as Stripe and PayPal; this step may not apply to your business. However, if you manually process your payment information, it’s important to remember to:
- Never manually write down payment information. Instead, input the data directly into the payment gateway.
- Only store cardholder information that you need and delete what you don’t need.
- Inform the person handling the cardholder information on the consequences of mishandling the data.
Requirement 4: Encrypting cardholder data on public networks.
First, install an SSL/TLS certificate on your WordPress site so that it’s accessible over HTTPS. Fortunately, many websites provide free certificates. Once the certificate is up and running, all data between your visitors and your website is encrypted.
However, even if you access cardholder data over HTTPS, make sure your connection is completely secure. For example, when using open public WiFi, always use VPNs for WordPress sites. The VPN encrypts your online movements and protects you from eavesdroppers on public connections. It does so by masking your private information such as IP addresses, search history, and location. As a result, an important PCI DSS compliance for eCommerce.
Requirement 5: Protecting your systems against malware with regular software and antivirus updates.
This step ensures that your website is less vulnerable to attacks and also protected from malware. Always ensure that you install the latest updates from your software providers. Keep your antivirus, antimalware, firewalls, and any other software that you use on devices that interact with your WordPress website up to date. Malware is also a software, and usually, attackers also update their malware to ensure that it’s useful. Updating your system is the best way to protect yourself from new threats.
Requirement 6: Develop and maintain secure systems and software.
In this step, your role as a merchant is to ensure that you use secure software and application for your WordPress site. When downloading software and applications, ensure you do it from trustworthy stores because they pre-approve apps before opening them to the public. For software, only use trusted and approved vendors. The vendor or developer should also have all relevant licenses to operate.
Remember always to install any updates released from the software and application developers as soon as they’re released. As your website grows, remember always to verify the source of any new software. Take a look at any reviews and comments about the software before making any purchases. Once installed, remember to change all default settings and passwords and use vendor recommendations to improve security.
Requirement 7: Restricting access to cardholder data to a need-to-know basis.
Ensure that you manage access to your website. The best way to do this is to utilize the “deny all” feature, and them allow access for each user, operating system, online services, and network components as you check. When granting access, especially from new users, ensure you research their source and security and determine why they need access to your website. As a result, an important PCI DSS compliance for eCommerce.
Requirement 8: Use identification and authentication measures to control access.
Focus on utilizing authentication measures to ensure that only real users have access to your website and cardholder data. You can set up 2-factor authentication (2FA) for admin controls and account pages. Remember also to use strong passwords and educate your users on the need for strong passwords. You can install a password manager to store your unique passwords and configure policies that force users to create strong passwords for their portals.
You should also use unique credentials to verify the identity of every user. With a unique credential for your website, admin controls, client portals, network devices, and business data, you can also track and receive alerts for any attempted logins.
Requirement 9: Control physical access to cardholder data.
Limit all access to laptops, smartphones, servers, and any other devices within your network. First, do not allow random users to access your business WiFi and work devices. If you operate in a physical office, install right locks, and do not allow visitors to roam freely. Lastly, always remember to destroy all physical evidence of passwords and cardholder data.
Requirement 10: Track and monitor all network access to cardholder information.
Maintain an audit history of all your activities for at least one year, always ready for analysis. You should store this information not only for compliance purposes but also to help you manage your website’s security. When installing new devices such as routers, remember to switch on their logging capabilities to help you track their activity. You can also find WordPress plugins to track all your activities.
Requirement 11 PCI DSS Compliance For eCommerce: Conduct regular tests and screening of systems.
Information security controls are never a one-off activity. You need to continuously monitor your security systems for loopholes and install new updates to boost security. You also need to set up penetration tests for your network and servers, conduct perimeter network scans, ask for internal vulnerability scans, and use WordPress vulnerability scans. It’s also crucial to introduce a IDS or IPS solution that helps you check and prevent possible hacks. With the right plugin, you can ensure that your website is always screened.
It’s also essential to update your IT inventory to ensure checks. Without this list, it’s easy to have software and plugins without the right security patches running in the background. Keep an updated list so that you can track what needs to be updated or uninstalled.
Requirement 12: Maintaining a security policy that addresses all measures to protect cardholder data.
This requirement focuses on documenting all the steps required to enforce security in your WordPress Store. Once you establish the measures needed to maintain security, document them, and circulate them to relevant users. Ensure that your policies clearly outline each person’s roles in ensuring safety and the consequences of non-compliance. It should also include the proper way to use devices and other technologies for your website store. You should also ensure you list the education and awareness programs for your personnel. The policy should also include a risk assessment to identify all threats and their impacts and an incident response plan in case of a data breach.
What Are The Risks Of Non-Compliance?
There are several risks of non-compliance.
Fines and Losses PCI DSS Compliance For eCommerce
You could face fines ranging from $5,000 to $100,000 for every non-compliant month from the credit card companies. These monetary fines vary depending on the volume of transactions in your e-commerce store. The volumes also determine what level of compliance your business should be on.
The monetary expenses of non-compliance and a breach are hefty for any business. It’s crucial to note that first, the cost of replacing and issuing cards is $3-$5 for every client that transacted with your e-commerce store. Even after clearing the issue, banks and payment processors may increase their charges. The affected brands may also pass on the costs of monitoring all breached credit card information for further protection of the consumer.
The relevant credit card companies can place restrictions on your business to prevent it from accepting card payments. If you fail to obtain compliance, credit card brands may also altogether terminate all future services with your business.
While PCI DSS compliance does not protect your website from potential data breaches, it softens the blow of a breach. If an investigation reveals that you took all measures to be compliant, the card brands may choose to lower or eliminate the monetary fines. A data breach could cause revenue loss, especially if clients lose trust in your business. You also have to spend more money to clean your systems and upgrade the security before continuing business.
If your business gets hacked, you have to undergo a mandatory forensic audit. In this audit, you supply your PCI DSS documents for examination, so that the credit card companies can determine if the data breach is a result of your non-compliance or not. First, the audit is intrusive and costly for your business, since all the costs are on you. Second, if you’re not compliant, the forensic auditor also examines your controls to determine your compliance status.
Legal Action PCI DSS Compliance For eCommerce
There may be class action suits against your business, especially if the data breach is massive. In 2007, TJX faced a massive data breach that exposed more than 45 million card details. The company revealed that only 12 months into the breach, it spent more than $250 million to cover the damage of the breach and compensate affected banks and customers.
Damaged Business Reputation
Exposing a client’s credit card information is enough to mistrust your business and ruin your brand’s image through bad reviews. It also becomes increasingly hard for clients to trust you again or for new clients to shop.