No, PCI compliance is not optional for your eCommerce site
On any given day, roughly 30,000 websites are hacked globally. On top of this, 64% of companies worldwide have experienced at least one form of cyber attack, according to Techjury.
So, whether you’re a veteran or just learning how to start an online store, knowing how to curb your risk of getting hacked is crucial. Between SQL injection attacks, malware, and other cyber security threats, there are various ways that hackers try to get their hands on your customers’ personal data—especially their credit card information.
This is where PCI DSS comes into effect. Short for “payment card industry data security standards,” PCI DSS aims to protect businesses and consumers from credit card fraud and theft.
While PCI compliance is not required by federal law, it is contractually required by many credit card brands. Read: if you accept credit card payments, you need to meet the minimum level of PCI DSS to stay in the good graces of your credit card brands and your customers.
In this guide, we'll cover:
What is PCI compliance?
PCI compliance is a set of security standards that your business (eCommerce or otherwise) must adhere to if you want to accept credit card payments. Noncompliance with PCI standards can leave you vulnerable to data breaches, hefty fines, and loss of services from card issuers.
The PCI DSS is nearly 20 years old, dating back to 2004 when PCI DSS v1.0 was first introduced by an independent body of leaders in the credit card industry. Its founding members include American Express, Discover Financial Services, JCB International, Mastercard, and Visa.
To this day, PCI compliance is governed by the PCI Security Standards Council (aka PCI SSC) and enforced by credit card brands and payment acquirers. While in general you (as the retailer) are responsible for ensuring PCI compliance, using a platform like Wix eCommerce, which is PCI DSS compliant and adheres to all PCI DSS requirements, may reduce your compliance burden altogether.
Did you know: Every Wix store comes with enterprise-level security. Wix manages data encryption, penetration tests, PCI compliance (at the highest level), and more, giving you protection from the get-go.
Nevertheless, it’s important to know how PCI compliance works and what steps are taken to protect every party involved in a credit card transaction.
The importance of PCI compliance for eCommerce businesses
Getting PCI DSS compliance wrong can be disastrous. One of the most well-known examples of this is the data breach Target experienced in 2013. The attack exposed 41 million card numbers and cost Target $18.5 million in settlements. In the weeks leading up to the breach, Target reportedly missed critical warnings flagged by its malware detection software.
Another infamous case: in 2009, Heartland Payment Systems, then the sixth largest payment processor in the U.S., experienced one of the worst data breaches in recent history. The company subsequently got banned from processing payments of major credit card brands for over a year and had to dish out around $145 million dollars in compensation.
While these may be the worst-case scenarios, the risk for any merchant is very real. A lapse in PCI compliance could heighten the risk of:
Financial harm - Your business could be required to pay between $5,000 to $100,000 per month for compliance violations, in addition to fees issued by your payment processors. If there's a breach, you may also have to reimburse your acquirer for any fraudulent charges.
Damage to reputation - Let’s say you face a data breach and are able to bounce back—you still have to recoup losses associated with losing customer trust. In our age of social media, a bad headline or disgruntled customers can do irreparable damage to your brand.
Loss of bank relationships or services - Your acquirer or payment processor could terminate your account if your business is noncompliant. You may then have difficulty finding a new payment partner willing to take on the risk of working with you.
How PCI DSS compliance works
PCI DSS is constantly evolving. The most recent standards, PCI DSS v4.0, was published in March 2022 and includes additional ways to address cyberattacks.
The goals of PCI DSS v4.0 (as stated by the PCI) are to:
Meet the security needs of the payment industry
Maintain security as a continuous process
Add flexibility for different methodologies
Enhance validation methods
Note that there are different PCI DSS requirements depending on your business size, as defined by the number of transactions you make per year. The more customers or sales you have, the greater your responsibility in terms of PCI DSS requirements.
The DSS buckets merchants into four levels:
Level 1 (strictest) - Applies to merchants processing more than six million transactions per year
Level 2 - Applies to merchants processing between one to six million transactions per year
Level 3 - Applies to merchants processing between 20,000 to one million transactions per year
Level 4 - Applies to merchants processing less than 20,000 transactions
If you experience a security breach, you can be bumped into a higher level, even if you don't meet the transaction thresholds listed above.
A summary of PCI DSS v4.0 requirements
PCI DSS v4.0 contains 12 principal requirements. These are grouped into six goals, as illustrated in the following table taken from the official guidelines:
Keep in mind that PCI DSS v4.0 is 360 pages long and contains hundreds of sub-requirements. Companies who take a DIY approach to meeting all the requirements typically implement entire teams to get the job done.
If you’re an SMB, a cost-effective and efficient approach is to work with an accredited PCI-service provider. As mentioned earlier, eCommerce platforms like Wix eCommerce assume most of the burden of compliance from store owners. For example, Wix enables you to accept secure online payments from PCI-qualified payment gateways, like Wix Payments, Stripe, and PayPal.
Wix’s dedication to PCI compliance and security
Wix takes website security seriously, meeting the requirements to remain PCI Level 1 compliant. This means that we:
Get quarterly external security screenings from an approved scanning vendor (ASV)
Are thoroughly audited for compliance—we go through a process that takes up to four months to complete
Conduct internal security scans (a type of “ethical hacking” that tests the provider’s system for vulnerabilities) and external companies to carry out penetration tests
We've also been audited and certified as ISO 27001 and ISO 27018 compliant, which means that we meet industry best practices for managing security risks and handling personally identifiable information (PII) in a public cloud computing environment.
In addition, Wix Payments, our proprietary payment processing solution, meets the highest standards for online security. Our platform protects your customers’ sensitive data with industry-leading encryption and fraud detection tools, powered by a combination of data analysis and machine learning.
When you use Wix Payments, you can rest assured that you’re meeting the PCI compliance requirements.
Other steps you can take to make your online store secure
Enable several other security options offered by Wix, like two-step verification via email, third-party authenticator app, or SMS
Create unique, hard-to-break passwords
If your customers provide their credit card details over phone or service chat, do not hold onto it
Pay special attention to roles and permissions on your Wix eCommerce (or other) site, ensuring only those who absolutely need the access have admin roles
Accept secure online payments with Wix
PCI compliance is a heavy topic. Fortunately, we’ve already done the grunt work and created an environment that keeps your business safe and compliant.
With Wix eCommerce, you can easily accept payment from more than 50 trusted payment gateways. Easily set up your shop with a variety of different payment options and focus on delighting your customers instead of looking over your shoulder for potential threats.
Create your store with Wix eCommerce today.
Editor, Wix eCommerce
Allison is the editor for the Wix eCommerce blog, with several years of experience reporting on eCommerce news, strategies, and founder stories.