Is Your Web Developer or Hosting Company Liable if Your Website is Not PCI Compliant?
If you are going to use online payments on your website then it must be PCI compliant. The Payment Card Industry Data Security Standard (PCI DSS), is a set of security guidelines applicable to all organizations that accept, store, and process credit card information. Even if you leverage third-party services like Stripe, Recurly, PayPal, or another secure payment option, you have an obligation to follow the requirements as set forth by PCI DSS.
If your website is found to be non-compliant with PCI standards, your company will be the one incurring the financial penalties because of it. Your web developer or web hosting company will not be fined.
Not doing so could open your business up to being sued by customers if there is a security breach, and/or to fines by your credit card processor.
If the breach is big enough and the fines are heavy enough, it could force your company out of business.
How big of a target is your ecommerce website?
With automated scripts, hackers can find websites with an online store, scan for vulnerabilities, and gain unauthorized access. Small web stores with few sales aren’t exempt — criminals are opportunists and will target any accessible websites or server resources. It is often easier to hack a thousand small ecommerce websites than it is to hack one large online retailer.
Ecommerce websites are susceptible to a number of risks and threats:
- Credit card stealers put your customers at risk of identity theft or credit card fraud.
- Hijacking causes loss of sales when customers are redirected to a fake shopping cart.
- Injected website content can spread spam, malware, and malvertising.
- Server resources can be stolen and used in malware campaigns, DDoS attacks, etc.
- Hacked sites can be blocked by search engines, antivirus programs, and browsers.
- Because there will always be some level of risk, security is a continuous process.
Non-compliant ecommerce websites often suffer hefty penalties by payment industry regulators if their customers complain about fraud after using the site.
PCI standards show that the average cost of a breach for a large website is 4 million dollars, whereas the average cost of a data breach for SMB is $86,500.
If a data breach occurs for your ecommerce store, you may even have the ability to accept payments by credit cards suspended or revoked.
How to be compliant?
The current version of the PCI DSS is 3.2.1, published in May 2018. While the PCI DSS has only 12 major requirements, each one can have a dozen or more sub-requirements.
Here is an overview of the requirements:
PCI DSS Requirement 1: Protect your system with firewalls
PCI DSS Requirement 2: Configure passwords and settings
PCI DSS Requirement 3: Protect stored cardholder data
PCI DSS Requirement 4: Encrypt Transmission of Cardholder Data
PCI DSS Requirement 5. Protect all systems against malware and regularly update anti-virus software or programs
PCI DSS Requirement 6: Develop and Maintain Secure Systems and Applications
PCI DSS Requirement 7: Restrict access to cardholder data by business need-to-know
PCI DSS Requirement 8: Assign a unique ID to each person with computer access
PCI DSS Requirement 9: Restrict physical access to workplace and cardholder data
PCI DSS Requirement 10: Implement logging and log management
PCI DSS Requirement 11: Conduct vulnerability scans and penetration tests
PCI DSS Requirement 12: Documentation and risk assessments
For many companies, the PCI DSS requirements can seem overwhelming. With ReconByte you get a secure environment for your website and you will automatically meet several of the most complex requirements. Among other things our solution will help you with:
- Fully managed and updated web application firewall
- Protection against OWASP Top 10 threats
- Application security monitoring and virtual patching
- Real time alerting, incident handling and response
- Continuous analysis of WAF and environment logs
- Vulnerability scanning and reports
Choose the right plan for your business
Cloud-based solution - No hardware or software to install. No changes needed to your website. No change of host. We do a simple 2 minutes DNS change to ensure all traffic to your site is routed through and protected by our solution.
Basic
Recommended for all types of websites that only want malware monitoring- Malware scan every 6 hours
- Vulnerability scan every 6 hours
- Content Delivery Network (CDN)
- Speed Optimization
- Layer 7 dDoS protection
- Layer 3, 4, 5, 6 dDoS protection
- Load balancing
- DNSSEC (Secured DNS)/p>
- Hack repair and recovery
- Chat and phone support
- Deep quarterly vulnerability report
- WAF which filters all incoming traffic
- Real-time threat protection
- Advanced threat identification
- Cure protection
- Scraping protection
- BruteForce protection
- Blocks access via backdoor files
- Illegal resource protection
- Blacklisting of specific countries or IP addresses
- OWASP 10 top protection
- Cache / header settings
- SSL certificate / HTTPS support
- 99.99% uptime
- SQL injection protection
- XSS (Cross site scripting protection) injection
- XMLRPC protection
- Alerting and incident escalations
- WAF rule update with customer request
- Access to configuration of WAF
- Handling and rectifying events
- Expert tuning and configuration
- Threat investigation and analysis
- Trojan detection and protection
- Reverse malware and suspect engineering
- Quarterly Google hacking check
- Quarterly password audit
- Access to dedicated security contactperson
Standard
Recommended for websites that want to be protected behind our automated solution- Malware scan every 6 hours
- Vulnerability scan every 6 hours
- Content Delivery Network (CDN)
- Speed Optimization
- Layer 7 dDoS protection
- Layer 3, 4, 5, 6 dDoS protection
- Load balancing
- DNSSEC (Secured DNS)/p>
- Hack repair and recovery
- Chat and phone support
- Deep quarterly vulnerability report
- WAF which filters all incoming traffic
- Real-time threat protection
- Advanced threat identification
- Cure protection
- Scraping protection
- BruteForce protection
- Blocks access via backdoor files
- Illegal resource protection
- Blacklisting of specific countries or IP addresses
- OWASP 10 top protection
- Cache / header settings
- SSL certificate / HTTPS support
- 99.99% uptime
- SQL injection protection
- XSS (Cross site scripting protection) injection
- XMLRPC protection
- Alerting and incident escalations
- WAF rule update with customer request
- Access to configuration of WAF
- Handling and rectifying events
- Expert tuning and configuration
- Threat investigation and analysis
- Trojan detection and protection
- Reverse malware and suspect engineering
- Quarterly Google hacking check
- Quarterly password audit
- Access to dedicated security contactperson
Pro
Recommended for businesses that also want access to their own security contactperson- Malware scan every 6 hours
- Vulnerability scan every 6 hours
- Content Delivery Network (CDN)
- Speed Optimization
- Layer 7 dDoS protection
- Layer 3, 4, 5, 6 dDoS protection
- Load balancing
- DNSSEC (Secured DNS)/p>
- Hack repair and recovery
- Chat and phone support
- Deep quarterly vulnerability report
- WAF which filters all incoming traffic
- Real-time threat protection
- Advanced threat identification
- Cure protection
- Scraping protection
- BruteForce protection
- Blocks access via backdoor files
- Illegal resource protection
- Blacklisting of specific countries or IP addresses
- OWASP 10 top protection
- Cache / header settings
- SSL certificate / HTTPS support
- 99.99% uptime
- SQL injection protection
- XSS (Cross site scripting protection) injection
- XMLRPC protection
- Alerting and incident escalations
- WAF rule update with customer request
- Access to configuration of WAF
- Handling and rectifying events
- Expert tuning and configuration
- Threat investigation and analysis
- Trojan detection and protection
- Reverse malware and suspect engineering
- Quarterly Google hacking check
- Quarterly password audit
- Access to dedicated security contactperson
ReconByte Enterprise
For larger companies with special requirements- Can cover unlimited subdomains
- Can include custom delivery criterias
- Can include advanced penetration testing