Browse by Topic

PCI Compliance

PCI stands for Payment Card Industry. The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure all companies that process, store or transmit credit card information maintain a secure environment.

Our servers are PCI DSS 3.2 certified at Level 1, which protects against credit card data breaches and eliminates the massive cost and hassle of handling compliance yourself. We let you accept leading payment methods without worrying about implementing PCI standards for your online store. 

 
 

Who is required to provide proof of compliance?

PCI compliance applies to any merchant or organization that accepts, transmits, or stores any cardholder data, regardless of size. If you accept transactions from customers using credit or debit cards, the PCI DSS requirements apply. BigCommerce is a PCI DSS compliant service provider and certifies annually all requirements (1-12) including as a shared hosting provider.

The ultimate responsibility of PCI compliance lies with you and takes into consideration the architecture of your e-commerce store and multiple channels of integrations.

Integrations with BigCommerce and Responsibility Matrix

 BigCommerce ResponsibilityMerchant Responsibility
BigCommerce as a storefront and backendResponsible for all PCI DSS requirements (1-12) of the product to the point that it has control of Merchants stores.Responsible for ensuring that all modifications that result in external calls to, or integrations with outside parties are done in a PCI DSS compliant manner.

Responsible for ensuring all design modifications are done in a PCI DSS compliant manner.

Responsible for ensuring that all service providers it uses are compliant with PCI DSS.
BigCommerce as a backend, for example, headless integrations or the BigCommerce WordPress PluginResponsible for all PCI DSS requirements from the point at which cardholder data is handed to a BigCommerce controlled interface. (see BigCommerce Attestation of PCI DSS 2020-2021)Responsible for the PCI DSS compliance of its storefront plus all of the above.
Checkout and Payments SDKNot Responsible
The way your business consumes the SDKs (either BigCommerce as a storefront and backend or BigCommerce as a backend ) would determine BigCommerce’s responsibilities.
Responsible for the PCI DSS compliance requirements applicable stated in BigCommerce as a storefront or BigCommerce as a backend.

The way your business consumes the SDKs (either BigCommerce as a storefront and backend or BigCommerce as a backend ) would determine BigCommerce’s responsibilities.
Checkout and Payments APINot Responsible
The way your business consumes the SDKs (either BigCommerce as a storefront and backend or BigCommerce as a backend ) would determine BigCommerce’s responsibilities.
Responsible for the PCI DSS compliance requirements applicable stated in BigCommerce as a storefront or BigCommerce as a backend.

The way your business consumes the SDKs (either BigCommerce as a storefront and backend or BigCommerce as a backend ) would determine BigCommerce’s responsibilities.
 
 

How do I have my site scanned by an ASV?

You may have business needs that require your site to be scanned for PCI Compliance outside of our own Attestation of PCI DSS Compliance. If you choose to have your site scanned externally, you will need to choose an ASV (Approved Scanning Vendor). 

Before you have your site scanned, make sure that the ASV you choose is approved by the PCI Security Standards Council. Refer to this full list of Approved Scanning Vendors.

Once you have chosen an ASV, there are some things to consider before launching your scan:

  • You will need to provide the ASV with your Domain. Do not use the IP. Because BigCommerce stores are hosted on GCP (Google Cloud Platform), scans against the IP address will often result in services being found that are not in use by BigCommerce. This can result in a false positive, requiring you to re-scan your site.
  • Dynamic Scanning, which is often used in some form when engaging in traditional penetration tests, is prohibited in the BigCommerce Acceptable Use Policy.

If you are unsure about what information to provide to your chosen ASV or have questions about what is or is not allowed, contact us and our support team can help guide you through the process.

 
 

How do you show proof of compliance?

If you're using a third-party platform such as BigCommerce and you are asked to provide an Attestation of PCI DSS Compliance, you can download it here: 2020 - 2021 Attestation of PCI DSS Compliance.

This document allows you to provide proof that your store is PCI compliant.

 

This attestation is dated for last year. Is it out of date? The date on the cover of the PCI Attestation refers to when the standards were last revised. It does not refer to when the Attestation was completed. The date the report was delivered is found on page 10 of the document.

For an in-depth guide to what PCI DSS is, how to achieve it for your business, and a compliance checklist, visit our blog Everything You Need to Know About Achieving PCI Compliance.

The PCI Compliance Guide is an FAQ that comes directly from from the organization that governs PCI Compliance standards, and is an excellent source for PCI compliance requirements.

 
 

Why do I need to reset my password every 90 days?

It is part of the requirements stated in Requirement 8 of Version 3.2 of the Payment Card Industry Data Security Standards. To remain PCI compliant, passwords must change at least every 90 days. See PCI Compliance Password Requirements for more details.

 
 

Why was I logged out of my store?

Another requirement for PCI compliance requires that if there is no activity for a set amount of time, the session has to time out. By default this is set to two hours, meaning if you are logged into your store's control panel but do not click anything for two hours, the system will log you out. See Adjusting the Control Panel Timeout Window for more information on how to adjust this setting.

 
 

Incorrectly Stored Credit Card Data

BigCommerce is a PCI-DSS Level 1 Service Provider, as such our storage of Account Data is audited annually by a Qualified Security Assessor (QSA).

The Payment Card Industry Data Security Standard defines Account Data in the following way;

  • Cardholder Data
  • Primary Account Number
  • Cardholder Name
  • Expiration Date
  • Sensitive Authentication Data
  • Security Code (CVV)

While the standard does have a provision for the storage of Cardholder Data before the completion of the credit transaction, it does not make allowance for the storage of Sensitive Authentication Data.

However, to reduce exposure of Cardholder Data, it is BigCommerce policy not to store any Account Data.

BigCommerce performs ongoing security scans to ensure compliance with data security across our platform. If a merchant is storing data that violates any of the policy mentioned above, the data will be deleted, and the merchant will be alerted of the violation.

Recurring Billing Apps

If you have a requirement to store customer credit card data for recurring billing purposes, there are recurring billing applications available in the BigCommerce app marketplace that can satisfy this requirement.

Stored Credit Card Feature

In BigCommerce, the Stored Credit Cards does NOT store credit card information in your store. The payment gateway stores this information which is in keeping with PCI compliance.

Was this article helpful?