Does Your Website Need to be PCI Compliant?

If you’ve gone through the process of setting up an e-commerce or other business website, you may have come across the term “PCI Compliance” and wondered if it was something you’d need to pursue. In short, PCI compliance is a set of security standards used to evaluate the security of a website that may transmit or store sensitive information. If your website serves such a purpose, you may need to be PCI compliant.

While there are several level of PCI compliance, the most common is the DSS 2.0 standard, which is usually for websites that utilize software that sends or stores personal data – such as a shopping cart. Most websites that perform online financial transactions, such as billing for products and services, need a merchant account or payment gateway in order to function. Usually if PCI compliance is a requirement for your website, your merchant will let you know. As your merchant is likely to assume responsibility for fraudulent transactions resulting from data theft, they will want to make sure your website passes an intermediate level of security in order to help ensure that your customers’ private information is adequately safeguarded.

PCI compliance standards don’t only look at the security aspects of your website itself, but also the security of the server hosting it. Therefore, you’ll want to make sure that your web hosting provider offers PCI-compliant servers. It’s not uncommon for your website to need to be on its own server (a dedicated server or VPS) as part of your vendor’s PCI requirements. Also keep in mind that even if you satisfy the PCI standards, they do change regularly. You’ll likely need to subscribe to a service that regularly performs PCI scans against your server to ensure that you remain compliant. If you fail to meet and/or maintain the standards after a certain period of time if required, your merchant may impose additional fees.