Is Your Web Developer or Hosting Company Liable if Your Website is Not PCI Compliant?

If you are going to use online payments on your website then it must be PCI compliant. The Payment Card Industry Data Security Standard (PCI DSS), is a set of security guidelines applicable to all organizations that accept, store, and process credit card information. Even if you leverage third-party services like Stripe, Recurly, PayPal, or another secure payment option, you have an obligation to follow the requirements as set forth by PCI DSS.

If your website is found to be non-compliant with PCI standards, your company will be the one incurring the financial penalties because of it. Your web developer or web hosting company will not be fined.

Not doing so could open your business up to being sued by customers if there is a security breach, and/or to fines by your credit card processor.

If the breach is big enough and the fines are heavy enough, it could force your company out of business.

How big of a target is your ecommerce website?

With automated scripts, hackers can find websites with an online store, scan for vulnerabilities, and gain unauthorized access. Small web stores with few sales aren’t exempt — criminals are opportunists and will target any accessible websites or server resources. It is often easier to hack a thousand small ecommerce websites than it is to hack one large online retailer.

Ecommerce websites are susceptible to a number of risks and threats:

  • Credit card stealers put your customers at risk of identity theft or credit card fraud.
  • Hijacking causes loss of sales when customers are redirected to a fake shopping cart.
  • Injected website content can spread spam, malware, and malvertising.
  • Server resources can be stolen and used in malware campaigns, DDoS attacks, etc.
  • Hacked sites can be blocked by search engines, antivirus programs, and browsers.
  • Because there will always be some level of risk, security is a continuous process.

Non-compliant ecommerce websites often suffer hefty penalties by payment industry regulators if their customers complain about fraud after using the site.

PCI standards show that the average cost of a breach for a large website is 4 million dollars, whereas the average cost of a data breach for SMB is $86,500.

If a data breach occurs for your ecommerce store, you may even have the ability to accept payments by credit cards suspended or revoked.

 

How to be compliant?

The current version of the PCI DSS is 3.2.1, published in May 2018. While the PCI DSS has only 12 major requirements, each one can have a dozen or more sub-requirements.

Here is an overview of the requirements:

PCI DSS Requirement 1: Protect your system with firewalls

PCI DSS Requirement 2: Configure passwords and settings

PCI DSS Requirement 3: Protect stored cardholder data

PCI DSS Requirement 4: Encrypt Transmission of Cardholder Data

PCI DSS Requirement 5. Protect all systems against malware and regularly update anti-virus software or programs

PCI DSS Requirement 6: Develop and Maintain Secure Systems and Applications

PCI DSS Requirement 7: Restrict access to cardholder data by business need-to-know

PCI DSS Requirement 8: Assign a unique ID to each person with computer access

PCI DSS Requirement 9: Restrict physical access to workplace and cardholder data

PCI DSS Requirement 10: Implement logging and log management

PCI DSS Requirement 11: Conduct vulnerability scans and penetration tests

PCI DSS Requirement 12: Documentation and risk assessments

 

For many companies, the PCI DSS requirements can seem overwhelming. With ReconByte you get a secure environment for your website and you will automatically meet several of the most complex requirements. Among other things our solution will help you with: 

  • Fully managed and updated web application firewall
  • Protection against OWASP Top 10 threats
  • Application security monitoring and virtual patching
  • Real time alerting, incident handling and response
  • Continuous analysis of WAF and environment logs
  • Vulnerability scanning and reports

Choose the right plan for your business

Cloud-based solution - No hardware or software to install. No changes needed to your website. No change of host. We do a simple 2 minutes DNS change to ensure all traffic to your site is routed through and protected by our solution.