What Is PCI Compliance?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed by the PCI Security Standards Council to ensure that ALL websites that accept, process, store or transmit credit card information maintain a secure environment.
Who Is Legally Responsible for Complying?
The company that owns the website is legally responsible for assessing the online transactional environment and maintaining that secure environment. These standards apply to any online website that accepts customer credit card information - and that includes your Teesnap WordPress website's online store.
How Compliant Does My Site Need to Be?
There are different levels of standards depending on the size of your business.
By "eCommerce transactions" here, we are speaking only about transactions done via your WordPress website's online store, NOT your booking portal, which is a separate website.
Okay, So Which Level Is My Site?
The vast majority of Teesnap customers will be Level 4, meaning:
Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year.
What Does My Store and Business Need to Be PCI Compliant?
We build our websites with the security of your data and your customers' data at the forefront. However, PCI compliance is not just about having a secure website. Your business must also take steps to ensure that your customers' financial data is fully protected throughout the entire transactional process.
In general, to be PCI compliant and protect your business in the rare case of a data breach, PCI DSS recommends a twelve-point checklist for online Level 4 businesses:
What Should My Business Do to Be PCI Compliant?
All Teesnap websites use secure passwords for all admin accounts and have fully configured web-application firewalls installed as well as security audit logs to track and monitor all access to your website's backend. They also all have SSL certificates which ensure your online visitors that you're taking every step to encrypt and secure their online transactions.
However, protecting customer financial data is about more than just having a secure website - it's also about secure business practices. Although Teesnap cannot make formal legal recommendations or guarantees about your business environment with regards to PCI compliance, we're happy to make some recommendations that your business may nevertheless find helpful in taking steps to comply with PCI DSS.
- Limit admin access to your online store to ONLY those individuals who will actually be processing the transaction. Do not have the order details forwarded to anyone else.
- If part of your transaction process includes receiving emails with credit card details, ensure that you're using a fully encrypted email system on a private network and encrypted computer/device only. Delete these emails COMPLETELY (not just send them to your trash folder - where they sit unencrypted and easily accessible by anyone).
- Give each person who has access to your online store's backend their own username and password. Do not allow admin users to share accounts or passwords.
- When an employee that has admin access to your online store leaves the company, immediately delete their WordPress username and password.
- Do not store any portion of your customers' financial details, including partial or complete credit card details, in plain unencrypted text. Never write down or print out credit card information on paper.
- Do not access your online store on public unencrypted networks, such as public WiFi. Only sign in as an admin to your website while on a private password-protected network.
- Maintain current anti-malware and anti-virus software on all computers and devices (including your phone) that you and your employees use to log in.
- Make sure that any computers that are used to sign in to your store's back end are in a safe, private location that can't be accessed by anyone who doesn't have authorization to sign in to your online store.
- Use secure passwords to password-protect your computers and networks, and ensure that you regularly change them and give access only to employees who need them.
- Develop an information security policy for your business and put it in writing, then share it with every employee in your company.