Browse by Topic

PCI Compliance

PCI stands for Payment Card Industry. The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure all companies that process, store or transmit credit card information maintain a secure environment.

Our servers are PCI DSS 3.2 certified at Level 1, which protects against credit card data breaches and eliminates the massive cost and hassle of handling compliance yourself. We let you accept leading payment methods without worrying about implementing PCI standards for your online store. 

 
 

Who is required to provide proof of compliance?

PCI compliance applies to any merchant or organization that accepts, transmits, or stores any cardholder data, regardless of size. If you accept transactions from customers using credit or debit cards, the PCI DSS requirements apply. BigCommerce is a PCI DSS compliant service provider and certifies annually all requirements (1-12) including as a shared hosting provider.

The ultimate responsibility of PCI compliance lies with you and takes into consideration the architecture of your e-commerce store and multiple channels of integrations.

Integrations with BigCommerce and Responsibility Matrix

 BigCommerce ResponsibilityMerchant Responsibility
BigCommerce as a storefront and backendResponsible for all PCI DSS requirements (1-12) of the product to the point that it has control of Merchants stores.Responsible for ensuring that all modifications that result in external calls to, or integrations with outside parties are done in a PCI DSS compliant manner.

Responsible for ensuring all design modifications are done in a PCI DSS compliant manner.

Responsible for ensuring that all service providers it uses are compliant with PCI DSS.
BigCommerce as a backend, for example, headless integrations or the BigCommerce WordPress PluginResponsible for all PCI DSS requirements from the point at which cardholder data is handed to a BigCommerce controlled interface. (see BigCommerce Attestation of PCI DSS 2019-2020)Responsible for the PCI DSS compliance of its storefront plus all of the above.
Checkout and Payments SDKNot Responsible
The way your business consumes the SDKs (either BigCommerce as a storefront and backend or BigCommerce as a backend ) would determine BigCommerce’s responsibilities.
Responsible for the PCI DSS compliance requirements applicable stated in BigCommerce as a storefront or BigCommerce as a backend.

The way your business consumes the SDKs (either BigCommerce as a storefront and backend or BigCommerce as a backend ) would determine BigCommerce’s responsibilities.
Checkout and Payments APINot Responsible
The way your business consumes the SDKs (either BigCommerce as a storefront and backend or BigCommerce as a backend ) would determine BigCommerce’s responsibilities.
Responsible for the PCI DSS compliance requirements applicable stated in BigCommerce as a storefront or BigCommerce as a backend.

The way your business consumes the SDKs (either BigCommerce as a storefront and backend or BigCommerce as a backend ) would determine BigCommerce’s responsibilities.
 
 

How do you show proof of compliance?

If you're using a third-party platform such as BigCommerce and you are asked to provide an Attestation of PCI DSS Compliance, you can download it here: 2019 - 2020 Attestation of PCI DSS Compliance.

This document allows you to provide proof that your store is PCI compliant.

 

This attestation is dated for last year. Is it out of date? The date on the cover of the PCI Attestation refers to when the standards were last revised. It does not refer to when the Attestation was completed. The date the report was delivered is found on page 10 of the document.

 
 

Why do I need to reset my password every 90 days?

It is part of the requirements stated in Requirement 8 of Version 3.2 of the Payment Card Industry Data Security Standards. To remain PCI compliant, passwords must change at least every 90 days. See PCI Compliance Password Requirements for more details.

 
 

Why was I logged out of my store?

Another requirement for PCI compliance requires that if there is no activity for a set amount of time, the session has to time out. By default this is set to two hours, meaning if you are logged into your store's control panel but do not click anything for two hours, the system will log you out. See Adjusting the Control Panel Timeout Window for more information on how to adjust this setting.

 
 

Incorrectly Stored Credit Card Data

BigCommerce is a PCI-DSS Level 1 Service Provider, as such our storage of Account Data is audited annually by a Qualified Security Assessor (QSA).

The Payment Card Industry Data Security Standard defines Account Data in the following way;

  • Cardholder Data
  • Primary Account Number
  • Cardholder Name
  • Expiration Date
  • Sensitive Authentication Data
  • Security Code (CVV)

While the standard does have a provision for the storage of Cardholder Data before the completion of the credit transaction, it does not make allowance for the storage of Sensitive Authentication Data.

However, to reduce exposure of Cardholder Data, it is BigCommerce policy not to store any Account Data.

BigCommerce performs ongoing security scans to ensure compliance with data security across our platform. If a merchant is storing data that violates any of the policy mentioned above, the data will be deleted, and the merchant will be alerted of the violation.

Recurring Billing Apps

If you have a requirement to store customer credit card data for recurring billing purposes, there are recurring billing applications available in the BigCommerce app marketplace that can satisfy this requirement.

Stored Credit Card Feature

In BigCommerce, the Stored Credit Cards does NOT store credit card information in your store. The payment gateway stores this information which is in keeping with PCI compliance.

Was this article helpful?