Navigating PCI compliance is difficult and complicated. Our ecommerce strategists are fluent in the details of PCI compliance and can help ensure that you are both secured and verified.

PCI compliance needs to be better understood — there are too many misconceptions about it.

First, PCI Compliance is not the same thing as security. You can be secure and not be PCI compliant. Likewise, you can be compliant without being secure.

Second, if you take credit cards at all, your payment provider most likely had you sign a document that you will maintain PCI compliance. Since PCI is a best-practices guideline from the credit cards (not a law in most states), they require your compliance in order to prevent fraud. If you aren't a compliant merchant, and you take credit cards, if there is a fraud or security event where cards are stolen, you may be liable for any fraudulent charges + fines.

Third, PCI compliance is not just about what you do with the physical credit card. It has four main areas:

1. Network & IT security
2. Business / HR policies
3. Credit Card handling and storage
4. Server and Application security.

Just because you use Shopify or another cloud-based ecommerce storage, does not mean you can avoid PCI compliance as you still have to comply with the areas of the standards.

To maintain your compliance, you must do a yearly signed assessment of your network, IT & HR policies, credit handling, etc., as well as complete monthly security & penetration tests.

At GRAYBOX, we are not certified PCI assessors, but we can provide help and guidance in getting your compliance up to date.