What is PCI Compliance?
To accept credit card payments online or offline, you must comply with the credit card associations and networks rules concerning data security to protect cardholder data. This has been standardized throughout the payment processing industry under the Payment Card Industry Data Security Standard (PCI DSS).
You are required to be PCI compliant if you accept any payment cards such as American Express, Discover Network, Diners Club International, JCB, MasterCard, and Visa. This includes credit cards, debit cards, prepaid cards, and gift cards.
When you accept payment cards online through a merchant account, some of the details of PCI compliance are handled by your web host (HostGator), some are handled by your merchant account provider (payment processor), and some aspects are managed by you (the merchant).
Please click the links below to jump to a section.
- Server PCI Compliance↴
- Software PCI Compliance↴
- Payment Processing Company PCI Compliance↴
- SSL / Secure Certificates↴
- Shopping Cart / Order Page / Website Coding↴
- Your Company Policies and Procedures↴
- The Bottom Line↴
- Need Further Assistance?↴
Server PCI Compliance
HostGator handles this component. While our VPS and dedicated servers support PCI compliance, there are likely to be false positives reported or configuration changes that must be made to have the server meet the requirements outlined in the PCI DSS.
If you experience any issues, you will need to request a scanning vendor to email you a report in PDF format and then include the official vendor-provided PDF as an attachment when you contact us via phone or chat.
Please include the full PDF as an attachment. Information copied and pasted out of your report will not be sufficient.
Software PCI Compliance
HostGator does not provide support for ensuring that the software used by your website is PCI compliant. This includes but is not limited to shopping carts, shopping cart plugins, payment gateway software, or any vulnerability due to the coding of your website, regardless of the development method used.
For issues regarding your software, you will need to contact the relevant developer responsible for building your solution.
Payment Processing Company PCI Compliance
Your payment processing company handles this component. They are responsible for maintaining their secure network environment.
(Your payment processing company can also guide you on being PCI compliant. They are a good resource to contact about PCI Compliance questions.)
SSL / Secure Certificates
In addition to the servers being PCI compliant (which HostGator handles for you), the credit card associations and networks also require that you use SSL whenever you transmit credit card information, such as the card number, cardholder's name, expiration date, CVV code, etc. (such as when a customer enters their credit card on your shopping cart order form or payment page). This is an important part of making your website PCI compliant.
Please refer to our article on What is an SSL Certificate? for more details on why and when you would need an SSL Certificate and our article on How Do I Purchase an SSL and What Type Is It? for details on how to purchase one.
Shopping Cart / Order Page / Website Coding
The shopping cart or order page code used on your website is required to be PCI Compliant as well. Many shopping carts and e-commerce software will indicate that they are PCI compliant.
Some of the items required to be PCI compliant include:
- The use of complex and unique passwords to access the e-commerce systems to prevent unauthorized access.
- Be sure not to use the default passwords that came with your shopping cart, e-commerce software, or POS system.
- Only authorized staff members can access cardholder data.
- Your website is protected against security vulnerabilities and clean of malware. If you are using a third-party script like a shopping cart or e-commerce system, this usually means running the latest secure version.
- Your website, shopping cart, or e-commerce software logs payment processing transactions.
- Your website must not email secure card information to you (such as the card number, cardholder's name, expiration date, CVV code, etc.). Sending cardholder data via email is insecure. Instead, it should be securely stored in a database or another secure method.
These are just some of the requirements. As you can see, certain requirements deal with how you use your website (i.e., using secure passwords) in addition to the script or website coding itself.
Using a modern shopping cart or e-commence script and employing secure passwords and procedures will usually cover all your website coding-related PCI compliance issues.
Your Company Policies and Procedures
In addition to securing the server and obtaining an SSL certificate, your internal company procedures also fall under PCI compliance. For example, storing cardholder data in your office must be secured in password-protected computers and/or in locked filing cabinets to prevent unauthorized access. Leaving cardholder data in an unlocked filing cabinet where unauthorized people can access it is considered a violation of PCI DSS. PCI compliance goes beyond whether your server is secure or not; it also applies to paper records, printouts, and employee procedures in your office.
The Bottom Line
The objective of PCI Compliance is to protect cardholder data from unauthorized access, whether it occurs through your server or the filing cabinet in your office. Putting policies and practices in place to prevent unauthorized access to cardholder data will help to ensure that you are PCI compliant.
Need Further Assistance?
For all other PCI issues, the payment processing company where you obtained your merchant account is the best PCI compliance information resource. They also may have specific requirements that are unique to their network. You can usually contact your sales representative or agent directly or call your payment processing company's support hotline. Contact information may also be found on your payment processor's website.