Navigating PCI compliance is difficult and complicated. Our ecommerce strategists are fluent in the details of PCI compliance and can help ensure that you are both secured and verified.
Verify your Security
PCI compliance is overly complicated, but it's critical to any business that takes credit cards. We help navigate the complexities and make sure you are secure.
PCI compliance needs to be better understood — there are too many misconceptions about it.
First, PCI Compliance is not the same thing as security. You can be secure and not be PCI compliant. Likewise, you can be compliant without being secure.
Second, if you take credit cards at all, your payment provider most likely had you sign a document that you will maintain PCI compliance. Since PCI is a best-practices guideline from the credit cards (not a law in most states), they require your compliance in order to prevent fraud. If you aren't a compliant merchant, and you take credit cards, if there is a fraud or security event where cards are stolen, you may be liable for any fraudulent charges + fines.
Third, PCI compliance is not just about what you do with the physical credit card. It has four main areas:
- Network & IT security
- Business / HR policies
- Credit Card handling and storage
- Server and Application security.
Just because you use Shopify or another cloud-based ecommerce storage, does not mean you can avoid PCI compliance as you still have to comply with the areas of the standards.
To maintain your compliance, you must do a yearly signed assessment of your network, IT & HR policies, credit handling, etc., as well as complete monthly security & penetration tests.
At GRAYBOX, we are not certified PCI assessors, but we can provide help and guidance in getting your compliance up to date.
Compliance ≠ Security
With PCI compliance, it's important not to confuse being compliant with being secure. You can be secure without being compliant. Compliance is a third-party attestation of security protocols and procedures for a given point of time.
It's hard to keep track of what compliance level if you might need - there are currently 8 subtypes of PCI Compliance, called SAQ levels. We help you determine your best one and get you certified.
Once you are certified complaint, you have to maintain that with monthly security scans, regular development updates and yearly IT assessments. We help to keep to compliant.