PCI stands for Payment Card Industry. The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure all companies that process, store or transmit credit card information maintain a secure environment.
Our servers are PCI DSS 3.2 validated at Level 1, which protects against credit card data breaches and eliminates the massive cost and hassle of handling compliance yourself. We let you accept leading payment methods without worrying about implementing PCI standards for your online store.
Who is required to provide proof of compliance?
PCI compliance applies to any merchant or organization that accepts, transmits, or stores any cardholder data, regardless of size. If you accept transactions from customers using credit or debit cards, the PCI DSS requirements apply. BigCommerce is a PCI DSS compliant service provider and certifies annually all requirements (1-12) included as a shared hosting provider.
The ultimate responsibility of PCI compliance lies with you and takes into consideration the architecture of your e-commerce store and multiple channels of integrations.
Integrations with BigCommerce and Responsibility Matrix
| BigCommerce Responsibility | Merchant Responsibility | |
| BigCommerce as a storefront and backend | Responsible for all PCI DSS requirements (1-12) of the product to the point that it has control of merchants' stores. | Responsible for ensuring that all modifications that result in external calls to, or integrations with outside parties are done in a PCI DSS compliant manner. Responsible for ensuring all design modifications are done in a PCI DSS compliant manner. Responsible for ensuring that all service providers it uses are compliant with PCI DSS. |
| BigCommerce as a backend. For example, headless integrations or the BigCommerce WordPress Plugin | Responsible for all PCI DSS requirements from the point at which cardholder data is handed to a BigCommerce controlled interface | Responsible for the PCI DSS compliance of its storefront, plus all of the above. |
| Checkout and Payments SDK | Not Responsible. The way your business consumes the SDKs (either BigCommerce as a storefront and backend, or BigCommerce as a backend) would determine BigCommerce’s responsibilities. | Responsible for the PCI DSS compliance requirements applicable, as stated in BigCommerce as a storefront or BigCommerce as a backend. |
| Checkout and Payments API | Not Responsible. The way your business consumes the SDKs (either BigCommerce as a storefront and backend, or BigCommerce as a backend) would determine BigCommerce’s responsibilities. | Responsible for the PCI DSS compliance requirements applicable, as stated in BigCommerce as a storefront or BigCommerce as a backend. |
How do I have my site scanned by an ASV?
You may have business needs that require your site to be scanned for PCI Compliance outside of our own Attestation of PCI DSS Compliance. If you choose to have your site scanned externally, you will need to choose an ASV (Approved Scanning Vendor).
Before you have your site scanned, make sure that the ASV you choose is approved by the PCI Security Standards Council. Refer to this list of Approved Scanning Vendors.
Once you have chosen an ASV, there are some things to consider before launching your scan:
- You will need to provide the ASV with your domain name. Do not use the IP address. Because BigCommerce stores are hosted on GCP (Google Cloud Platform), scans against the IP address will often result in services being found that are not in use by BigCommerce. This can result in a false positive, requiring you to re-scan your site.
- Dynamic Scanning, which is often used in some form when engaging in traditional penetration tests, is prohibited in the BigCommerce Acceptable Use Policy.
If you are unsure about what information to provide to your chosen ASV or have questions about what is or is not allowed, contact us and our support team can help guide you through the process.
