What Is PCI Compliance And Why Should I Care?

What Is PCI Compliance And Why Should I Care?
  • 4 min read

No matter what news station you turn on or which newspapers you subscribe to, you’re bound to see the headline “new data breach puts consumers at risk.” All of a sudden, consumers have to get credit cards reissued, change passwords, and take steps to protect their data. Privacy and security are things we tend to take for granted – but at a financial risk.

This is why it is important to communicate trust to your eCommerce site’s customers. You do this by communicating that you’re using a PCI-compliant payment gateway.

What is PCI Compliance and Why Is It Important?

PCI stands for “Payment Card Industry.” In other words, payment cards are the merchant accounts that allow you to pay for something online, in a store, or even at a Farmer’s Market. (That goat cheese with hatch chilies is so worth the calories.)

Okay, fine, you’re thinking. So, what’s PCI Compliance? Sometimes referred to as PCI Compliance instead of PCI DSS Compliance, this is the set of data security standards (DSS) for payment processors or payment gateways. This standard is maintained by the PCI Security Standards Council which holds trainings, conferences, and educational seminars.

For example, what security protocols does Stripe have to follow to ensure that Jane Doe’s Mastercard is safe from hackers? In case you were wondering, here’s the answer.

“We’re a certified PCI Service Provider Level 1. This is the most stringent level of certification available in the payments industry.”

Stripe

PCI Compliance is important because it gives your customers the confidence to shop with you online – and in person. No confidence. No shoppers. No money. So, you don’t want to use a sketchy credit card system. This includes taking CC numbers over the phone and writing it down on paper. Just don’t do it. (We’ve seen all kinds of crazy systems here. It’s no bueno.)

How Do You Explain PCI Compliance?

We like to explain the need for PCI Compliance as an extra layer of security. At Rocket.net we already prioritize security within our platform, so we like to encourage all of our eCommerce Enterprise Clients to use a modern payment processor (like Stripe) that also believes in data security. 

You can explain it to your eCommerce clients by asking if it would be okay for you to publish their credit card number, expiration date, zip code, security code, and name on the home page of their website. 

That sounds crazy, right? Well, if you’re not using PCI-compliant systems, you may as well put it on the home page. To a hacker, it’s basically that easy. Your customer will be adequately horrified, and understand why 3% payment fees to Stripe are no big thing. That “extra” cost of doing business is big security.

Can I Store a Customer’s Credit Card Details?

Remember when you were a kid and you asked if you could go to the bathroom? Your third-grade teacher probably answered, “I don’t know. Can you?” This frustrating exchange was meant to teach you the difference between the two words: can and may. “Can” has to do with ability. “May” has to do with permission. 

In tech, we deal with can and should. “Can” means you have the technical skills. “Should” is about elegance, best practices, speed, and ethics. Collecting any kind of data is technically easy with Gravity Forms and whatnot. But once you collect that data, you’re responsible for how it is used, stored, and if it is breached.

Remember Target’s 2013 data breach? Can you afford that kind of settlement? Do you have insurance to cover that kind of settlement against an eCommerce site your agency built?

“Retail giant Target will pay an $18.5 million multistate settlement, the largest ever for a data breach, to resolve state investigations of the 2013 cyber attack that affected more than 41 million of the company’s customer payment card accounts.”

USA Today

So, instead of asking, “can I store a customer’s credit card details?” ask if you should store credit card details. Our answer is no. No, you should not store any user’s credit card details on your WordPress website. Ever.

How Do I Offer Subscriptions Without Storing Credit Card Numbers?

Maybe your eCommerce site sells subscriptions like memberships, or boxes, or even the ability to read your blog. Boxes are all the rage and they continue to be. Well, the short answer is that recurring payments are handled by your PCI-Compliant Payment Gateways. 

Defer to the payment processor’s functionality; don’t try to hack your way into recurring payments. If you’re using a WordPress plugin for payments, be sure to look for their “recurring” or “subscription” add-ons.

Here’s NerdWallet’s List of the Best Payment Gateways:

  • Stripe: Best overall payment gateway.
  • Adyen: Best omnichannel option.
  • Helcim: Best interchange-plus pricing for businesses of all sizes.
  • PayPal Payflow: Best for doing everything in one place.
  • Square: Best if you also have a storefront.

We’d Love to Show You What Rocket.net Hosting Can Mean For Your eCommerce Store’s Bottom Line!

Whether it be WooCommerce or Enterprise hosting, all of our eCommerce sites are PCI compliant with our Cloudflare Enterprise configuration. Your store will be as secure as possible to protect your clients.

Full WordPress security for your business at a reasonable price? Yes, please. We know how to treat our clients and, more importantly, how to be an extension of your existing team. That’s why we believe Rocket.net is the perfect partner to handle everything you need.

New call-to-action