Ecommerce

PCI Compliance

The new PCI DSS standard V4.0 was released in March 2022. Organisations have up to March 2024 to update and comply.

In 2022 overall PCI DSS compliance stood at only 43.4% of organisations maintaining full compliance.

Verizon Payment Security Report – September 2022
PCI Compliance

PCI Compliance for eCommerce

Protecting your customers and your business from credit card fraud is a major consideration in ecommerce. Any business accepting online credit card payments needs to be compliant with the Payment Card Industry Data Security Standard (PCI DSS) in order to combat online credit card fraud.

PCI DSS aims to protect the individual’s personal information through proper security when credit card transactions are processed. The PCI DSS was set up by the Payment Card Industry Security Standards Council. The founding members of the Council include American Express, MasterCard and Visa.

Your Obligations

12 Requirements of PCI DSS

Under PCI DSS you, as the merchant, must:

Build and maintain a secure network

  • Install and maintain a firewall configuration to protect cardholder data.
  • Do not use vendor supplied defaults for system passwords and other security parameters.

Protect cardholder data

  • Protect stored cardholder data.
  • Encrypt transmission of cardholder data across open, public networks.

Maintain a vulnerability management programme

  • Use and regularly update antivirus software.
  • Develop and maintain secure systems and applications.

Implement strong access control measures

  • Track and monitor all access to network resources and cardholder data.
  • Regularly test security systems and processes.

Regularly monitor and test networks

  • Restrict access to cardholder data by business need-to-know.
  • Assign a unique ID to each person with computer access.
  • Restrict physical access to cardholder data.

Maintain an information security policy

  • Maintain a policy that addresses information security.

Sounds great

Three major elements of PCI compliance

Protecting your customers’ data is central to how Xanthos creates and launches your ecommerce website. Xanthos only works with PA-DSS compliant ecommerce software, and PCI-DSS certified web hosting providers, to make sure that your store is safe and secure.

PCI-DSS requirements are a set of requirements issued by the PCI Security Standards Council (PCI SSC) and supported by major card brands. They apply to all organisations which store, process, or transmit cardholder data.

We make sure our sites are compliant by making sure we follow the following rules:

Storing the Card Verification Value (CVV) number is prohibited

You are not allowed to store the three-digit CVV number under any circumstances.

Protecting the Primary Account Number (PAN)

The PAN is the 14 or 16-digit code across the front of the credit card. This has to be available to those with a need to access it, otherwise, it must be masked. The PAN must be encrypted when stored and transmitted.

Compliance with the Payment Application Data Security Standard (PA DSS)

This applies to all third-party ecommerce software. It sets out the security requirements for processing credit card transactions. Your ecommerce software must be PA DSS compliant.