PCI stands for Payment Card Industry. The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure all companies that process, store or transmit credit card information maintain a secure environment. Our servers are PCI DSS 3.2 certified at Level 1, which protects against credit card data breaches and eliminates the massive cost and hassle of handling compliance yourself. We let you accept leading payment methods without worrying about implementing PCI standards for your online store.
Who Is Required to Provide Proof of Compliance?
PCI compliance applies to any merchant or organization that accepts, transmits or stores any cardholder data, regardless of size. If you accept transactions from customers using credit or debit cards, the PCI DSS requirements apply. Since it is BigCommerce's servers, BigCommerce is required to provide proof, not individual merchants using our service.
How Do You Show Proof of Compliance?
If using a third-party platform such as BigCommerce and you are asked to provide an Attestation of PCI DSS Compliance, you can download it here: 2018 - 2019 Attestation of PCI DSS Compliance.
This document allows you to provide proof that your store is PCI compliant.
This attestation is dated for last year, is it out of date? The date on the cover of the PCI Attestation refers to when the standards were last revised. It does not refer to when the Attestation was completed. The date the report was delivered is found on page 10 of the document.
Why Do I Need to Reset My Password Every 90 Days?
It is part of the requirements stated in Requirement 8 of Version 3.2 of the Payment Card Industry Data Security Standards. In order to remain PCI compliant, the password must change at least every 90 days. See PCI Compliance Password Requirements for more details.
Why Was I Logged out of My Store?
Another requirement for PCI compliance requires that if there is no activity for a set amount of time, the session has to time out. By default this is set to 15 minutes, meaning if you are logged into your store's control panel but do not click anything for 15 minutes, the system will log you out. See Control Panel Timeout Window for more information on how to adjust this setting.
Incorrectly Stored Credit Card Data
BigCommerce is a PCI-DSS Level 1 Service Provider, as such our storage of Account Data is audited annually by a Qualified Security Assessor (QSA).
The Payment Card Industry Data Security Standard defines Account Data in the following way;
- Cardholder Data
- Primary Account Number
- Cardholder Name
- Expiration Date
- Sensitive Authentication Data
- Security Code (CVV)
While the standard does have a provision for the storage of Cardholder Data prior to the completion of the credit transaction, it does not make allowance for the storage of Sensitive Authentication Data.
However, to reduce exposure of Cardholder Data, it is BigCommerce policy to not store any Account Data.
BigCommerce performs ongoing security scans to ensure compliance with the data security across our platform. If a merchant is storing data that violates any of the policy mentioned above, the data will be expunged and the merchant will be alerted of the violation.
Recurring Billing Apps
If you have a requirement to store customer credit card data for recurring billing purposes, there are recurring billing applications such as PayWhirl, available in the BigCommerce app marketplace that can satisfy this requirement.