PCI compliance is important for any business that does financial transactions on the Internet. Maintaining a secure environment for the financial records of your business’s customers is paramount. Not doing so could open your business up to being sued by customers if there is a security breach, and/or to fines by your credit card processor.
If the breach is big enough and the fines are heavy enough, it could force your company out of business. When you design your website, it must be PCI compliant if you are going to use it to accept online payments. However, is your web developer or web hosting company liable for financial damages your company incurs if your website is not PCI compliant?
Are Web Developers Liable for PCI Compliance?
In-House Web Developers
Your web developer might have some liability when it comes to your website’s PCI compliance. It all depends on the circumstances. Naturally, if you design the site yourself, you are the one who is liable.
An employee of your company who designs the website is liable only if you write up a contract with him or her stating that the website they design is PCI compliant when it comes to its checkout and/or shopping cart features. Without the contract, you have no proof to show your bank processors or a judge (in the event of a lawsuit) that your employee was required to make the site PCI compliant.
Of course, you can always fire the employee if you asked for PCI compliance in the site design and it isn’t included, especially if this omission causes your company to get fined. The employee won’t be responsible for any of your company’s financial penalties unless you can produce a contract stating that PCI compliance was part of the expectations of the web design, though. Bear this in mind when asking any employee to design a website that accepts online payments for you.
Third-Party Web Developers
The same things hold true for professional web developers outside the company you hire to design your website for you. No developer can be held liable for anything unless it is specified in a contract the developer signed that the site must adhere to PCI compliance standards in the checkout feature and in how the site stores the financial information of customers.
With such a contract, you could theoretically sue a web developer who did not make your website PCI compliant and you incurred financial penalties because of it. Without the contract, only you are liable.
If you discover the site is not PCI compliant after it is made, but before anyone else discovers it and penalties are incurred, you can simply ask the developer to do the work again properly, ask for a refund (or sue for one, if you have a contract stating PCI compliance is required), or hire a different developer to make the site PCI compliant for you.
Are Web Hosting Companies Liable for PCI Compliance?
Your web hosting company is generally not responsible for the PCI compliance of your website. All the hosting company is doing is providing a home on the Internet for your website. What is on your website is your responsibility. There are exceptions to this, however.
Generally, Your Hosting Company is Not Liable
In most cases, though, your web hosting company is just that…a web hosting company. It will have little to nothing to do with what is on your website, as most professionally built websites do not need to use the built-in tools of their web host. As long as the web hosting company doesn’t offer financial tools (or if it does, but you don’t use them on your website), then it cannot be held liable for the PCI compliance status of your website.
Exception: If You Use Your Hosting Company’s Payment Tools
If your web hosting provider makes shopping cart and payment processing tools available to you and promises that they are PCI-compliant tools, they may be liable if you use them on your website and later discover they are not compliant.
If the promise of PCI compliance is in writing in the web hosting company’s terms of service or description of its financial tools for your website, you will have grounds to sue them for damages if your site is found to be non-compliant with PCI standards and you incur financial and/or reputation penalties because of it.
So, Who is Liable for Your Website’s PCI Compliance?
When it comes right down to it, you are the one who is responsible for the PCI compliance status of your website. You need to double-check the work of any web developer and the workings of any web hosting financial tool for your website to make sure the PCI compliance is there.
You’re Responsible for Your Website’s Compliance
If your website is found to be non-compliant with PCI standards, your company will be the one incurring the financial penalties because of it. Your web developer or web hosting company will not be fined. You will have to take them to court to try to make the court hold them liable for the financial penalties you incurred.
How to Ensure PCI Compliance for Your Website
If your business is going to be conducting any kind of financial transaction over the Internet, compliance needs to be built into your website at the very beginning. Develop compliance into your website’s foundations, and you will always be able to feel confident that your business is operating within PCI standards. The areas of PCI guidelines you should be the most concerned with when getting your website designed are Requirements 3, 4, and 6, and their sub-sections. These requirements are the ones that pertain to how the financial information of customers, particularly credit card information, is protected by the website. These protections are easier to make a part of your website if they are built in from the beginning, rather than if you have to go back and add them in later. Protection features you will want to include in order to be compliant include encryption of the data and control over who has access to this information.
- Get a Contract – In this, you will likely only be successful if there is something in writing, such as a signed contract or clear promises on the web developer or web hosting company’s website. In general, the best thing you can do to avoid incurring any penalties for not being PCI compliant on your website is to make sure of it yourself, since you are the one who will be held liable before anyone else.
- Secure Web Applications – Applications are addressed by PCI Requirement #6 and its sub-sections. The requirements pertaining to applications are applied to both internal and external applications. Applications are subject to compliance standards if they transmit, process, or store credit card data and/or personal information about the people who own these cards. Applications developed by your business, and those developed by third parties for client companies to use are subject to PCI standards and must be audited by a PCI-approved auditor each year to make sure they remain in compliance.
- Address Coding Vulnerabilities – PCI requires all coding in your website to be secure. Software developers on your team or who you hire from external companies must all be knowledgeable in how to do secure coding. This includes avoiding common coding errors that can leave your website more open to hacking and put your customers’ financial and personal data at risk of being used for nefarious purposes. Coders should also have a good understanding of how this type of sensitive data should be secured in your website’s memory. Look for coders who have been certified by a third party as being proficient in these areas.
- Maintain Ongoing Compliance Efforts – Staying compliant with PCI requirements is important to the future of your business. Compliance is acquired in two phases. The first phase is achieving compliance. The second phase is maintaining compliance as a normal and ingrained part of the way your company conducts business. Once your business is in PCI compliance all the time, and compliance is so much a part of the way you do business that you don’t even have to think about it anymore to know you’re in compliance, then your business will have reached the pinnacle of compliance achievement; this type of achievement is the gold standard of compliance every business should aim to reach.
- Hire a Third-Party PCI Auditing Firm – If you have concerns about your business being PCI compliant, you shouldn’t wait until your annual mandated audit by a PCI qualified auditor. You can employ a third-party auditor that is familiar with all the PCI requirements
Related article: How to Prepare for Your PCI Audit.
I.S. Partners, LLC will let you know if you are compliant, and if you’re not, they will let you know which areas need improvement, and how to improve them. In order to give you peace of mind concerning your business and its PCI compliance, hire I.S. Partners, LLC to come audit your business quarterly. With regular audits by I.S. Partners, LLC, you will eventually become familiar with the PCI requirements yourself, so much so that using them will become a natural part of your business.