Choose another country or region to see content specific to your location and shop online.
UK

What is a PCI-compliant website, and does yours need to be?

Picture of Kyle Tapping
Kyle Tapping

Published: March 28, 2022

Last updated: December 8, 2022

Table of Contents

What is PCI compliance

I’ve recently been asked ‘does my website need to be PCI compliant?’. I thought if one person was unsure about this it is likely that many others have the same question. In this article, we will cover; What is PCI compliance, why is PCI compliance important, and then finally, how do you make your website follow the PCI compliance requirements?

What Is PCI compliance?

PCI DSS stands for; Payment Card Industry Data Security Standard. It has been created to increase security to protect consumer data, prevent data breaches, and also safeguard personal cardholder information. PCI compliance applies to all businesses and organizations that accept credit card payments. PCI compliance has four levels which each organization and business falls under. These are based on the total transaction volume on a yearly basis.

PCI Security Standards Council
PCI Security Standards Council

The levels are as follows:

  1. Transactions exceed 6 million for MasterCard, Visa, or Discover; 2.5 million for American Express; or 1 million for JCB
  2. Transactions are between 1 and 6 million for MasterCard, Visa, or Discover; between 50,000 and 2.5 million for American Express; or anything under 1 million for JCB
  3. Transactions are between 20,000 and 1 million for MasterCard (specifically eCommerce transactions), Visa, or Discover; or anything under 50,000 for American Express
  4. Transactions are below 20,000 for MasterCard, Visa, or Discover

Why is being PCI compliant important?

Being PCI compliant ensures that credit card transactions are secure for both the merchant and the cardholder. It aids in the prevention of security breaches and identity theft. Consumers are finding it easier to make many of their regular purchases online as technology advances. If you’re not PCI compliant, you risk losing the ability to accept online credit card payments, which may cost you a lot of money.

How do I make my website PCI compliant

If you run an e-commerce website that takes online payments or donations, your website should be PCI compliant.

PCI DSS v3.2.1, which was issued in May 2018, is the most recent version.

Multiple sub-requirements and hundreds of actions make up the requirements. At first glance, meeting all requirements may appear to be tough for a small website owner.

However, we will outline each PCI compliance requirement in practical terms:

1. Build and Maintain a Secure Network

Install and maintain a firewall, and test the systems and processes. 

2. Do Not Use Vendor-Supplied Defaults

Don’t use vendor-supplied passwords and restrict cardholder data to authorized personnel. 

Making a strong password is easy, use a secure password generator such as this one. Secondly, if you need to exchange passwords within your company, keep them in a secure location, such as team password.

3. Protect Cardholder Data

Keep cardholder data in a secure, password-protected location.

4. Encrypt Transmission of Cardholder Data

SSL/TLS is a security and encryption protocol that secures and encrypts sensitive data as it travels between two systems. The website can be visited through HTTPS rather than HTTP when an SSL certificate is used.

For PCI compliance, a website that takes payments must use TLS v1.1 or higher.

Encrypting critical data, such as credit card numbers, cardholder information, and passwords, protects your consumers and avoids fraud and data breaches.

5. Maintain a Vulnerability Management Program

Install antivirus software on all systems that are regularly infected with harmful software (especially personal computers and servers). Keep all software up-to-date to prevent vulnerabilities.

Ensure that antiviral measures are active and that users cannot disable or alter them unless management has given permission on a by-case basis for a short time span.

With various website security tools, you can mitigate malware threats on the site and on the server. You’ll also need to guard against attack vectors that aren’t confined to the site directory, such as SSH and FTP access. Elite’s website security plans are proudly powered by Sucuri, a world leader in online security.

6. Develop and Maintain Secure Systems and Applications

Whether you’re just getting started and have a small website with minimal traffic, It doesn’t matter. If your website has a susceptible CMS, extension, plugin, or theme, a malicious bot will most certainly identify it at some point in the future.

Not only are you reducing the chance of automated assaults, but you’re also assuring the PCI compliance requirements are being met, by keeping your website software and system components patched and up to date.

7. Restrict Access to Cardholder Data by Business Need to Know

You should not hand out cardholder data lightly. Restrict access to authorized persons only. 

8. Track and Monitor All Access to Network Resources and Cardholder Data

You should have a log of who can access your card holder’s data and when they access it.

9. Maintain an Information Security Policy

Put in place an information security policy. You must review the security policy annually, at least. and include a risk assessment process, incident response plan, and usage policy.

Final Thoughts on PCI DSS compliance

Your objective should be to give a memorable experience that adds value to your clients every time they visit your website. While the PCI compliance requirements may not be directly related to your business, A users’ compromised credit card information as a result of their visit to your website, can leave a lasting poor impression of your company.

ELITEWEB.Co’s WooCommerce hosting is a great choice for anyone wanting an out-of-the-box PCI-compliant e-commerce platform. It comes with the following for FREE;

  • SSL included in each plan!
  • WordPress Migration Tool.
  • Website Security.
  • Backup Protection.
WooCommerce is a PCI-compliant shopping cart.
WooCommerce is a PCI-compliant shopping cart.

On top of those great additions, our WooCommerce hosting comes with £4800 worth of free essential plugins listed below: 

Cart and checkout extensions

Marketing extensions

Merchandising extensions

Payment extensions

Product extensions

Services extensions

Shipping extensions

Store management extensions



Sign up for free news, tips & offers

Your email is safe with us, we don't spam.

Picture of Kyle Tapping
Kyle Tapping
Kyle joined the Elite team in 2018. With a background in website development and search engine optimization, Kyle takes great satisfaction from spreading his knowledge to help others succeed in the world of the web. His interests include website development, Brazilian Jiu-Jitsu, coding, and graphic design.

Leave a Reply

Table of Contents

Products Mentioned
WooCommerce Hosting
Sign up for the latest news + A Wordpress guide

Reseller login

If you’re a reseller, use the button below to sign in. (your reseller account is separate to your regular account)

New customer

New to ELITEWEB.Co? Create an account to get started today.

Registered users

Have an account? Sign in now.

Sign up for offers and the latest news