{"id":17843,"date":"2022-05-24T19:21:16","date_gmt":"2022-05-25T02:21:16","guid":{"rendered":"https:\/\/oroinc.com\/b2b-ecommerce\/?p=17843"},"modified":"2023-07-07T00:39:14","modified_gmt":"2023-07-07T07:39:14","slug":"payment-card-industry-data-security-standard-pci-dss-compliance-what-every-ecommerce-business-needs-to-know","status":"publish","type":"post","link":"https:\/\/oroinc.com\/b2b-ecommerce\/blog\/payment-card-industry-data-security-standard-pci-dss-compliance-what-every-ecommerce-business-needs-to-know\/","title":{"rendered":"PCI DSS eCommerce Compliance: What Every eCommerce Business Needs to Know | OroCommerce"},"content":{"rendered":"

What is PCI DSS?<\/span><\/h2>\n

The Payment Card Industry Data Security Standard (PCI DSS) is a compliance standard for an organization’s information security. It makes sure businesses securely handle the payment information of buyers from the major credit card companies, like Visa, MasterCard, American Express, etc. As of December 15, 2004, it has changed the individual requirements of each credit card brand. <\/span><\/p>\n

This standard is governed by 12 main requirements on networks, systems and infrastructure, cardholder data handling, access control management and the procedural arrangements around this. The 12 main requirements combined can mount into 250+ separate rules where businesses holding payment card information will need to follow. <\/span><\/p>\n

Does every company have to be compliant? How compliant does your business have to be?<\/span><\/h2>\n

Yes, every company that accepts credit card payments will have to prove their compliance in one of following ways: either a Self-Assessment Questionnaire or by Qualified Security Assessors.<\/span><\/p>\n

There will be a difference in compliance requirements depending on how payments are accepted, but the main question to ask will be whether you want to store your customers\u2019 cardholder data. If you do, you immediately become subject to capital PCI-compliance requirements which means your business must validate against 250+ requirements. Everyone else will need to make sure they do not store, process, or transmit any cardholder data\/information on their systems or servers.<\/span><\/p>\n

What are the PCI compliance requirements and where does one implement them? <\/span><\/h2>\n

The 12 PCI DSS requirements can be classified into three main subgroups:<\/span><\/p>\n

Infrastructure.<\/b> To ensure the infrastructure is compliant it must be secure enough to store cardholder data, and it is required that it has a firewall and an antivirus, none of the system defaults are used on the machines, the physical and virtual access to the infrastructure is secure, monitored and logged, and, in case of remote access – encrypted. <\/span><\/p>\n

Applications. <\/b>They must be hosted on a compliant infrastructure, and built in a way compliant with all the requirements. For example, we at Oro build applications in compliance with <\/span>PCI requirements<\/span><\/a> from the start. Every step of handling cardholder data must be encrypted and secured, especially when any bit of it may potentially be transmitted through open or public networks.<\/span><\/p>\n

Processes. <\/b>To be PCI compliant, you must create clear information security policies and procedures regarding deployment, working with data, access management, and general data handling. You must also ensure appropriate staff training and regularly test and monitor security systems and processes. This will include managing access to the data with extreme care, using unique IDs with 2-factor authentication, granting access only on a need to know basis and only allowing trained personnel to have access to the sensitive data.<\/span><\/p>\n

In addition, when integrating your systems with external providers or implementing new solutions, it\u2019s best to choose those compliant with PCI DSS so you don\u2019t have to go about complying with a gazillion additional integration requirements. <\/span><\/p>\n

How do Oro solutions measure up? What is the shared responsibility when we use Oro products?<\/span><\/h2>\n

If OroCommerce is deployed in the OroCloud infrastructure, it offers your business a PCI DSS compliant solution. This means that you will get a secure and PCI-compliant infrastructure and will only have to take care of the procedural controls, internal employee training and policies. <\/span><\/p>\n

OroCommerce deployed in a non-OroCloud infrastructure already covers all Application requirements of PCI DSS, but the infrastructure, network security, procedures, and policies, as well as staff training, will be left to the client to be compliant.<\/span><\/p>\n

To help you figure out which aspects of your eCommerce infrastructure you don’t have to worry about, as Oro has got it covered and where you still need to pay attention, we have created this “PCI DSS Shared Responsibility Matrix for OroCommerce”. We have listed the 12 main PCI DSS requirements in the table below and marked how OroCloud and on-premise infrastructures can address them.<\/span><\/p>\n

“+” – means that OroCommerce is responsible for this requirement and conforms to it;<\/span><\/p>\n

“-” – means that in this particular configuration, OroCommerce cannot be responsible for conformity with this requirement, as it’s on the client’s side, and so the client is responsible for making sure their infrastructure meets it.<\/span><\/p>\n

“+\/-” – this configuration of OroCommerce conforms to the requirement, but there are areas and\/or processes out of our control that have to be taken care of on the client’s side.<\/span><\/p>\n

Simplified PCI DSS Shared Responsibility Matrix for OroCommerce<\/span><\/h2>\n\n\n<\/colgroup>\n\n<\/colgroup>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
#<\/span><\/i><\/td>\nPCI DSS Requirements<\/i><\/strong><\/td>\nOroCloud-hosted OroCommerce PaaS solution<\/i><\/strong><\/td>\nOroCommerce on-premise<\/i><\/strong><\/td>\n<\/tr>\n
1<\/span><\/i><\/td>\n Install and maintain a <\/span><\/i>firewall<\/span><\/i><\/a> configuration to protect cardholder <\/span><\/i>data<\/span><\/i><\/a>.<\/span><\/i><\/td>\n+<\/span><\/i><\/td>\n–<\/span><\/i><\/td>\n<\/tr>\n
2<\/span><\/i><\/td>\nDo not use vendor-supplied <\/span><\/i>defaults<\/span><\/i><\/a> for system <\/span><\/i>passwords<\/span><\/i><\/a> and other security parameters.<\/span><\/i><\/td>\n+<\/span><\/i><\/td>\n–<\/span><\/i><\/td>\n<\/tr>\n
3<\/span><\/i><\/td>\nProtect <\/span><\/i>stored cardholder data<\/span><\/i><\/a>.**<\/span><\/i><\/td>\n+<\/span><\/i><\/td>\n-\/+<\/span><\/i><\/td>\n<\/tr>\n
4<\/span><\/i><\/td>\nEncrypt<\/span><\/i><\/a> transmission of cardholder data across open, public networks.<\/span><\/i><\/td>\n+<\/span><\/i><\/td>\n–<\/span><\/i><\/td>\n<\/tr>\n
5<\/span><\/i><\/td>\nUse and regularly update <\/span><\/i>antivirus software<\/span><\/i><\/a>.* <\/span><\/i><\/td>\n+\/-<\/span><\/i><\/td>\n–<\/span><\/i><\/td>\n<\/tr>\n
6<\/span><\/i><\/td>\nDevelop and maintain secure systems and applications.<\/span><\/i><\/td>\n+<\/span><\/i><\/td>\n+<\/span><\/i><\/td>\n<\/tr>\n
7<\/span><\/i><\/td>\nRestrict access to cardholder data by business <\/span><\/i>need-to-know<\/span><\/i><\/a>.** <\/span><\/i><\/td>\n+\/-<\/span><\/i><\/td>\n-\/+<\/span><\/i><\/td>\n<\/tr>\n
8<\/span><\/i><\/td>\nAssign a unique ID to each person with computer access.***<\/span><\/i><\/td>\n+\/-<\/span><\/i><\/td>\n-\/+<\/span><\/i><\/td>\n<\/tr>\n
9<\/span><\/i><\/td>\nRestrict physical access to cardholder data.<\/span><\/i><\/td>\n+<\/span><\/i><\/td>\n–<\/span><\/i><\/td>\n<\/tr>\n
10<\/span><\/i><\/td>\nTrack and monitor all access to network resources and cardholder data.**<\/span><\/i><\/td>\n+<\/span><\/i><\/td>\n-\/+<\/span><\/i><\/td>\n<\/tr>\n
11<\/span><\/i><\/td>\nRegularly test security systems and processes.<\/span><\/i><\/td>\n+\/-<\/span><\/i><\/td>\n–<\/span><\/i><\/td>\n<\/tr>\n
12<\/span><\/i><\/td>\nMaintain a policy that addresses information security.<\/span><\/i><\/td>\n+\/-<\/span><\/i><\/td>\n–<\/span><\/i><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

* Oro is compliant on its part of the OroCommerce application security, and the Client is responsible for keeping the equipment and applications they are using up-to-date
\n<\/span><\/em>** OroCommerce implemented on OroCloud gives all the necessary tools to track and monitor who accesses the network and cardholder data.
\n<\/span><\/em>*** Oro does not restrict access or assign unique IDs to the users, but we give our clients the <\/span>tools to manage this.<\/span><\/em><\/p>\n

Complying with PCI DSS requirements is not just a mere formality, but a way to promote loyalty and trust among potential and existing clients. It\u2019s a healthy information security practice followed by most of your peers and competitors.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

What is PCI DSS? The Payment Card Industry Data Security Standard (PCI DSS) is a compliance standard for an organization’s information security. It makes sure businesses securely handle the payment information of buyers from the major credit card companies, like Visa, MasterCard, American Express, etc. As of December 15, 2004, it has changed the individual […]<\/p>\n","protected":false},"author":23961,"featured_media":109228,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"ep_exclude_from_search":false,"footnotes":""},"categories":[210],"tags":[],"class_list":{"0":"post-17843","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-b2b-ecommerce"},"acf":[],"yoast_head":"\nPCI DSS eCommerce Compliance: What Every eCommerce Business Needs to Know | OroCommerce<\/title>\n<meta name=\"description\" content=\"PCI DSS is a list of security requirements for eCommerce websites handling credit card data. Complying with PCI DSS requirements is not just a mere formality, but a way to promote loyalty and trust among potential and existing clients.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/oroinc.com\/b2b-ecommerce\/blog\/payment-card-industry-data-security-standard-pci-dss-compliance-what-every-ecommerce-business-needs-to-know\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"PCI DSS eCommerce Compliance: What Every eCommerce Business Needs to Know | OroCommerce\" \/>\n<meta property=\"og:description\" content=\"PCI DSS is a list of security requirements for eCommerce websites handling credit card data. Complying with PCI DSS requirements is not just a mere formality, but a way to promote loyalty and trust among potential and existing clients.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/oroinc.com\/b2b-ecommerce\/blog\/payment-card-industry-data-security-standard-pci-dss-compliance-what-every-ecommerce-business-needs-to-know\/\" \/>\n<meta property=\"og:site_name\" content=\"OroCommerce\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/OroCommerce-333319140210515\/\" \/>\n<meta property=\"article:published_time\" content=\"2022-05-25T02:21:16+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-07-07T07:39:14+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/oroinc.com\/b2b-ecommerce\/wp-content\/uploads\/sites\/3\/2022\/05\/pci-compliance-social.png\" \/>\n\t<meta property=\"og:image:width\" content=\"540\" \/>\n\t<meta property=\"og:image:height\" content=\"280\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Anna Korolekh\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@orocommerce\" \/>\n<meta name=\"twitter:site\" content=\"@orocommerce\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Anna Korolekh\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/oroinc.com\/b2b-ecommerce\/blog\/payment-card-industry-data-security-standard-pci-dss-compliance-what-every-ecommerce-business-needs-to-know\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/oroinc.com\/b2b-ecommerce\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"B2B eCommerce\",\"item\":\"https:\/\/oroinc.com\/b2b-ecommerce\/blog\/category\/b2b-ecommerce\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"PCI DSS Compliance: What Every eCommerce Business Should Know\"}]},{\"@type\":\"FAQPage\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"\/#\/schema\/image\/109228\",\"url\":\"https:\/\/oroinc.com\/b2b-ecommerce\/wp-content\/uploads\/sites\/3\/2022\/05\/pci-compliance.png\",\"contentUrl\":\"https:\/\/oroinc.com\/b2b-ecommerce\/wp-content\/uploads\/sites\/3\/2022\/05\/pci-compliance.png\",\"width\":750,\"height\":440,\"caption\":\"pci-compliance\"},\"name\":\"PCI DSS eCommerce Compliance: What Every eCommerce Business Needs to Know | OroCommerce\",\"url\":\"https:\/\/oroinc.com\/b2b-ecommerce\/blog\/payment-card-industry-data-security-standard-pci-dss-compliance-what-every-ecommerce-business-needs-to-know\/\",\"headline\":\"PCI DSS eCommerce Compliance: What Every eCommerce Business Needs to Know | OroCommerce\",\"datePublished\":\"2022-05-25T02:21:16+00:00\",\"dateModified\":\"2023-07-07T07:39:14+00:00\",\"mainEntityOfPage\":{\"@type\":\"WebPage\",\"@id\":\"https:\/\/oroinc.com\/b2b-ecommerce\/blog\/payment-card-industry-data-security-standard-pci-dss-compliance-what-every-ecommerce-business-needs-to-know\/\"},\"author\":{\"@id\":\"https:\/\/oroinc.com\/b2b-ecommerce\/#\/schema\/person\/6e951d88bc4f54fe8fe24c751e6ac926\"},\"isPartOf\":{\"@type\":\"WebSite\",\"@id\":\"https:\/\/oroinc.com\/b2b-ecommerce\/#website\"},\"@id\":\"https:\/\/oroinc.com\/b2b-ecommerce\/blog\/payment-card-industry-data-security-standard-pci-dss-compliance-what-every-ecommerce-business-needs-to-know\/#faqpage\",\"description\":\"PCI DSS is a list of security requirements for eCommerce websites handling credit card data. Complying with PCI DSS requirements is not just a mere formality, but a way to promote loyalty and trust among potential and existing clients.\",\"publisher\":{\"@id\":\"https:\/\/oroinc.com\/b2b-ecommerce\/#organization\"},\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"PCI DSS eCommerce Compliance: What Every eCommerce Business Needs to Know | OroCommerce","description":"PCI DSS is a list of security requirements for eCommerce websites handling credit card data. Complying with PCI DSS requirements is not just a mere formality, but a way to promote loyalty and trust among potential and existing clients.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/oroinc.com\/b2b-ecommerce\/blog\/payment-card-industry-data-security-standard-pci-dss-compliance-what-every-ecommerce-business-needs-to-know\/","og_locale":"en_US","og_type":"article","og_title":"PCI DSS eCommerce Compliance: What Every eCommerce Business Needs to Know | OroCommerce","og_description":"PCI DSS is a list of security requirements for eCommerce websites handling credit card data. Complying with PCI DSS requirements is not just a mere formality, but a way to promote loyalty and trust among potential and existing clients.","og_url":"https:\/\/oroinc.com\/b2b-ecommerce\/blog\/payment-card-industry-data-security-standard-pci-dss-compliance-what-every-ecommerce-business-needs-to-know\/","og_site_name":"OroCommerce","article_publisher":"https:\/\/www.facebook.com\/OroCommerce-333319140210515\/","article_published_time":"2022-05-25T02:21:16+00:00","article_modified_time":"2023-07-07T07:39:14+00:00","og_image":[{"width":540,"height":280,"url":"https:\/\/oroinc.com\/b2b-ecommerce\/wp-content\/uploads\/sites\/3\/2022\/05\/pci-compliance-social.png","type":"image\/png"}],"author":"Anna Korolekh","twitter_card":"summary_large_image","twitter_creator":"@orocommerce","twitter_site":"@orocommerce","twitter_misc":{"Written by":"Anna Korolekh","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"BreadcrumbList","@id":"https:\/\/oroinc.com\/b2b-ecommerce\/blog\/payment-card-industry-data-security-standard-pci-dss-compliance-what-every-ecommerce-business-needs-to-know\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/oroinc.com\/b2b-ecommerce\/"},{"@type":"ListItem","position":2,"name":"B2B eCommerce","item":"https:\/\/oroinc.com\/b2b-ecommerce\/blog\/category\/b2b-ecommerce\/"},{"@type":"ListItem","position":3,"name":"PCI DSS Compliance: What Every eCommerce Business Should Know"}]},{"@type":"FAQPage","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"\/#\/schema\/image\/109228","url":"https:\/\/oroinc.com\/b2b-ecommerce\/wp-content\/uploads\/sites\/3\/2022\/05\/pci-compliance.png","contentUrl":"https:\/\/oroinc.com\/b2b-ecommerce\/wp-content\/uploads\/sites\/3\/2022\/05\/pci-compliance.png","width":750,"height":440,"caption":"pci-compliance"},"name":"PCI DSS eCommerce Compliance: What Every eCommerce Business Needs to Know | OroCommerce","url":"https:\/\/oroinc.com\/b2b-ecommerce\/blog\/payment-card-industry-data-security-standard-pci-dss-compliance-what-every-ecommerce-business-needs-to-know\/","headline":"PCI DSS eCommerce Compliance: What Every eCommerce Business Needs to Know | OroCommerce","datePublished":"2022-05-25T02:21:16+00:00","dateModified":"2023-07-07T07:39:14+00:00","mainEntityOfPage":{"@type":"WebPage","@id":"https:\/\/oroinc.com\/b2b-ecommerce\/blog\/payment-card-industry-data-security-standard-pci-dss-compliance-what-every-ecommerce-business-needs-to-know\/"},"author":{"@id":"https:\/\/oroinc.com\/b2b-ecommerce\/#\/schema\/person\/6e951d88bc4f54fe8fe24c751e6ac926"},"isPartOf":{"@type":"WebSite","@id":"https:\/\/oroinc.com\/b2b-ecommerce\/#website"},"@id":"https:\/\/oroinc.com\/b2b-ecommerce\/blog\/payment-card-industry-data-security-standard-pci-dss-compliance-what-every-ecommerce-business-needs-to-know\/#faqpage","description":"PCI DSS is a list of security requirements for eCommerce websites handling credit card data. Complying with PCI DSS requirements is not just a mere formality, but a way to promote loyalty and trust among potential and existing clients.","publisher":{"@id":"https:\/\/oroinc.com\/b2b-ecommerce\/#organization"},"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/oroinc.com\/b2b-ecommerce\/wp-json\/wp\/v2\/posts\/17843","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/oroinc.com\/b2b-ecommerce\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/oroinc.com\/b2b-ecommerce\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/oroinc.com\/b2b-ecommerce\/wp-json\/wp\/v2\/users\/23961"}],"replies":[{"embeddable":true,"href":"https:\/\/oroinc.com\/b2b-ecommerce\/wp-json\/wp\/v2\/comments?post=17843"}],"version-history":[{"count":7,"href":"https:\/\/oroinc.com\/b2b-ecommerce\/wp-json\/wp\/v2\/posts\/17843\/revisions"}],"predecessor-version":[{"id":139138,"href":"https:\/\/oroinc.com\/b2b-ecommerce\/wp-json\/wp\/v2\/posts\/17843\/revisions\/139138"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/oroinc.com\/b2b-ecommerce\/wp-json\/wp\/v2\/media\/109228"}],"wp:attachment":[{"href":"https:\/\/oroinc.com\/b2b-ecommerce\/wp-json\/wp\/v2\/media?parent=17843"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/oroinc.com\/b2b-ecommerce\/wp-json\/wp\/v2\/categories?post=17843"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/oroinc.com\/b2b-ecommerce\/wp-json\/wp\/v2\/tags?post=17843"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}