Is Your Web Developer or Hosting Company Liable if Your Website is Not PCI Compliant?
PCI compliance is important for any business that does financial transactions on the Internet. Maintaining a secure environment for the financial records of your business’s customers is paramount. Not doing so could open your business up to being sued by customers if there is a security breach, and/or to fines by your credit card processor. If the breach is big enough and the fines are heavy enough, it could force your company out of business. When you design your website, it must be PCI compliant if you are going to use it to accept online payments. However, is your web developer or web hosting company liable for financial damages your company incurs if your website is not PCI compliant?
Web Developers and PCI Compliance
Your web developer might have some liability when it comes to your website’s PCI compliance. It all depends on the circumstances. Naturally, if you design the site yourself, you are the one who is liable. An employee of your company who designs the website is liable only if you write up a contract with him or her stating that the website they design is PCI compliant when it comes to its checkout and/or shopping cart features. Without the contract, you have no proof to show your bank processors or a judge (in the event of a lawsuit) that your employee was required to make the site PCI compliant. Of course, you can always fire the employee if you asked for PCI compliance in the site design and it isn’t included, especially if this omission causes your company to get fined. The employee won’t be responsible for any of your company’s financial penalties unless you can produce a contract stating that PCI compliance was part of the expectations of the web design, though. Bear this in mind when asking any employee to design a website that accepts online payments for you.
The same things hold true for professional web developers outside your company you hire to design your website for you. No developer can be held liable for anything unless it is specified in a contract the developer signed that the site must adhere to PCI compliance standards in the checkout feature and in how the site stores the financial information of customers. With such a contract, you could theoretically sue a web developer who did not make your website PCI compliant and you incurred financial penalties because of it. Without the contract, only you are liable. If you discover the site is not PCI compliant after it is made, but before anyone else discovers it and penalties are incurred, you can simply ask the developer to do the work again properly, ask for a refund (or sue for one, if you have a contract stating PCI compliance is required), or hire a different developer to make the site PCI compliant for you.
Web Hosting Companies and PCI Compliance
Your web hosting company is generally not responsible for the PCI compliance of your website. All the hosting company is doing is providing a home on the Internet for your website. What is on your website is your responsibility. There are exceptions to this, however.
If your web hosting provider makes shopping cart and payment processing tools available to you and promises that they are PCI compliant tools, they may be liable if you use them on your website and later discover they are not compliant. If the promise of PCI compliance is in writing in the web hosting company’s terms of service or description of its financial tools for your website, you will have grounds to sue them for damages if your site is found to be non-compliant with PCI standards and you incur financial and/or reputation penalties because of it. You could also sue them for damages to your company if there is a data breach; in this case, your customers could sue the web hosting company, too (if their financial information was compromised or otherwise negatively affected in any way).
In most cases, though, your web hosting company is just that…a web hosting company. It will have little to nothing to do with what is on your website, as most professionally built websites do not need to use the built-in tools of their web host. As long as the web hosting company doesn’t offer financial tools (or if it does, but you don’t use them on your website), then it cannot be held liable for the PCI compliance status of your website.
PCI Compliance and You
When it comes right down to it, you are the one who is responsible for the PCI compliance status of your website. You need to double check the work of any web developer and the workings of any web hosting financial tool for your website to make sure the PCI compliance is there. If your website is found to be non-compliant with PCI standards, your company will be the one incurring the financial penalties because of it. Your web developer or web hosting company will not be fined. You will have to take them to court to try to make the court hold them liable for the financial penalties you incurred. In this, you will likely only be successful if there is something in writing, such as a signed contract or clear promises on the web developer or web hosting company’s website. In general, the best thing you can do to avoid incurring any penalties for not being PCI compliant on your website is to make sure of it yourself, since you are the one who will be held liable before anyone else.
If you are not sure if your website is PCI compliant, regardless of who developed it or how, you can hire a third-party auditing company like I.S. Partners, LLC to examine your website and let you know. I.S. Partners, LLC will also show you the exact areas where your site is non-compliant (if any non-compliance issues are found), and let you know how to fix them. An audit by I.S. Partners, LLC is an excellent investment in your company’s financial future. Contact us by calling 215-675-1400 or request a PCI Quote here!