Payment Card Industry (PCI Compliance) Data Security Standard Audit & Implementation

PCI compliance Violation can lead to hefty fines for you and your business. As PCI Security Compliance Experts we help organizations to comprehensively manage PCI Standard compliance.

Here we are sharing a use-case with our fellow readers demonstrating how we ran a PCI Compliance audit for one of our clients and helped them secure their customer’s vital data.

What is PCI Compliance?

Papadent one of the leading DIY auto repair tools sellers approached us for building his website for selling automotive tools online. The client worked as an automotive body man for repairing cars. He was looking for an online presence and i-Verve developed online store website https://www.papadent.com using WordPress and the client started enjoying great sales and profits.

The client came back to us stating that the government has made it mandatory to ensure that the website is PCI compliant to secure the important customer information and avoid data breaches. The Federal law in the US expected all online merchants to ensure PCI compliance.

Payment Card Industry Data Security Standard (PCI DSS) compliance helps to improve the level of security and boost customer confidence.

Any online website that accepts payment through debit or credit card needs to be PCI compliant/certified. Electronic payments need a high level of security. Whatever the size of your organization and volumes of transactions may be, PCI is applicable to any website that accepts card payments or deals with any confidential customer information. Different levels of compliance apply to the online merchants based on the volume of transactions.

PCI DSS Compliance Levels

Whatever the size of the business or organization and the volume of transactions, PCI are applicable to anyone who accepts card payments transmits any data or stores any information regarding that data. Different levels do apply, however, with merchants falling into one of four, based on the volume of transactions. Each level features different standards of compliance, designed to reflect the amount of risk the organization may be subject to.

Benefits of PCI Compliance for Online Businesses

  • PCI compliance ensures that your customers’ data and confidential information is safe and secure.
  • Protect your business against vulnerable attacks with PCI compliance.
  • Enhance your business reputation and build brand credibility.
  • Boost customer confidence and increase your sales online.

Data thieves are becoming increasingly sophisticated and are adopting new technologies and features quickly. Any company that uses a credit card or debit card should secure itself with PCI compliance. It can be riskier for merchants that accept recurring payments.

It can be easier for smaller businesses to meet compliance with PCI DSS. For larger organizations, it may be a difficult process as the standard requires changes to be made at all the levels. Infrastructure level, application level, network level, operating system level, and procedures level also. The wider the environment, the more difficult it would be to meet the PCI DSS requirements.

Errors We Scanned in PCI Compliance Audit:

1. vulnerable WordPress version: 4.8
2. vulnerable jQuery version: 1.11.0
3. Web error message information leakage: /
4. web program allows cross-site scripting in the query string (/)

We got an error from Server End:

5. SSL backdoor found
6. OpenSSH 7.4 is vulnerable
7. SSL/TLS server supports short block sizes (SWEET32 attack)
8. server is susceptible to POODLE attack over TLS – 3
9. The server supports TLS 1.0
10. WebDAV extensions are enabled

We contacted to hosting server support team and passed this server error to hosting support team. We disabled the not required extension like WebDAV.

We had taken require steps for following error at development side in PCI

1. vulnerable WordPress version
2. vulnerable jQuery version –
3. Web error message information leakage: /
4. web program allows cross-site scripting in the query string (/)

What solution (PCI Implementation) was provided by i-Verve?

  • Remove sensitive authentication data.
  • Protect the internal networks.
  • Secure payment card applications.
  • Monitor and control access to your systems.
  • Protect stored cardholder data.
  • Finalize remaining compliance efforts.

We updated WordPress to the latest version and installed compatible jQuery. We also updated PHP version 5.6 and then safely updated WordPress latest version by manual upload of files. We removed the old jQuery version and setup compatible jQuery version. Our team removed the old version from theme JS and CSS file.

Web error message information leakage:
We had removed application flow info from code, back-end, and database.

Web program allows cross-site scripting in the query string (/):
We had validated the query string in WooCommerce code for checkout page and other pages to stop XSS attack from HTTP header request from the browser, and we had Report XSS attack by using word fence plug-in and block IP of the attacker and these details had listed out in WordPress back-end. After that, we added a plug-in to set header security and deny XSS attack from HTTP header request.

Why PCI Compliance is Important for Every Ecommerce Businesses?

With the rise in data breaches with ecommerce websites, there has been a need for protecting the customers’ sensitive information and credit card details. The PCI DSS is the need of the hour for every ecommerce website. A PCI compliant ecommerce website is considered to be more secure and it creates a sense of credibility among your users. Customers prefer to purchase products and services online from stores that are PCI compliant.

So, if your ecommerce store accepts debit or credit card payments, it is important to look for PCI compliance. By doing this, all the information entered by the users would be protected in the best possible manner.

It is important for the customers to know that your ecommerce site is safe and secure. The users should feel safe while using their credit or debit cards on your site or portal. Protecting sensitive data on your website will help you gain more customers.

How much does a PCI audit cost?

There are several factors that affect PCI compliance cost. An onsite PCI assessment can help you get a quote for PCI compliance cost. Some of the major factors that affect the cost are size of the organization and card processing methods. Usually a qualified security assessment ma cost you around $15,000.

After applying all these required steps, we got error-free PCI Compliance Report. The client was happy with the solution we provided. Every eCommerce website that accepts online payments through debit or credit card should ensure PCI compliance to secure the sensitive data of the customers’ confidential information. i-Verve can help you secure and safeguard your eCommerce store easily. Get in touch with us to get more information.

PCI FAQs

1. To whom does the PCI DSS apply?
It can apply to any organization that does online transactions such as ecommerce websites. If your site accepts online payments through credit or debit cards, then you need PCI compliance.

2. Where can a site owner find the PCI Data Security Standard (PCI DSS)?
Existing PCI DSS documents can be found on the PCI Security Standards Council website.

3. If my organization only accepts credit cards over the phone, does PCI DSS still apply to me?
Yes. All the businesses that require credit or debit card information from cardholders may need PCI Compliance.

4. My website doesn’t store credit card data so PCI compliance does not apply to us, right?
If your eCommerce website accepts any kind of credit or debit card information, your site must be PCI compliant.