How do I make my Drupal or WordPress site PCI compliant?

What Is PCI Compliance?

“PCI Compliance” generally refers to the Payment Card Industry Data Security Standard (PCI DSS), a set of regulations created to ensure companies safely process, transmit, and store credit card information. PCI security standards were launched in 2006 and have become an integral part of developing a successful website.

Do PCI DDS Requirements Apply To Me?

Data security standards apply to any organization that accepts, stores, or transmits cardholder data, regardless of size or number of transactions. However, there are varying levels of standards depending on where and how you use or store cardholder data.

How Do I Know What PCI DSS Requirements Apply To My Site?

E-commerce website owners must determine the “self-assessment questionnaire” (SAQ) level that applies and then successfully implement the applicable PCI-DSS requirements for that level. Depending on your card processor/gateway, they may utilize a third-party approved scanning vendor (ASV) to guide you through this process. Even if your processor does not require this, it does not mean you are exempt from compliance. Completing the appropriate SAQ demonstrates you’re taking the security measures necessary to keep cardholders data safe. The vast majority of e-commerce sites should make it a goal to qualify for SAQ A or SAQ A-EP. These designations mean that part or all of cardholder data functions are outsourced. While your business will still have to work through some security issues to be compliant, they’re not as comprehensive as other SAQs. On the other hand, if your business falls into SAQ D, you’ll need to implement and maintain a much more onerous set of measures. Modern payment gateways all offer A/A-EP compatible card processing options to help you avoid SAQ D. If it’s been years since you implemented your payment solution or your site “sees” raw card numbers at any point, you should make it a goal to upgrade to a more secure process. We can help.

How do I make a Wordpress woocommerce site PCI Compliant?

Ensuring you have your payment gateway is setup properly and you are not storing credit cards in your ordPress woocommerce database is a good start. If you are capturing or storing credit cards you are certainly not PCI compliant. At Fruition we can provide WordPress woocommerce support to get you PCI compliant.

How do I make my Drupal site PCI Compliant?

The same PCI standards apply to a Drupal site as other types of commerce sites. At Fruition we can assist with a Drupal support package to get your Drupal site PCI compliant.

Why Is It Important To Be PCI Compliant?

In addition to meeting security standards and regulations, maintaining PCI compliance provides various benefits, including:

• Customers will trust you with their sensitive information, which leads to customer confidence and repeat purchases
• Improves your reputation with payment brands
• Can contribute to improving your IT infrastructure

PCI non-compliance can lead to lawsuits, canceled accounts, insurance claims, government fines, and erode the trust that customers and partners place in your business.

My Site Is Served With TLS/SSL (a lock in the URL bar); Isn’t This Enough?

Employing encryption is important (and most modern web browsers will warn users if you’re not) but serving your web site with TLS (often called “SSL”) encryption is not sufficient in and of itself to satisfy the PCI DSS standard at any SAQ level. Another common misconception is that receiving but not storing card data excludes a site from the more stringent SAQ D requirements. If your web application ever sees a full card number - even if immediately sent to a third party without storage - this exposes you to significant risk and compliance requirements. Understanding your SAQ level is crucial for mitigating risk and helping your business succeed. If you’re not sure what SAQ level applies to your business, or need help assessing your PCI Compliance, contact us today.