This month marks a landmark for our eCommerce platform, bluCommerce, achieving the highest level of PCI DSS certification for a Service Provider, Level 1. This means our systems are now even more secure and robust, providing maximum security throughout all stages of payments handling on bluCommerce, and ultimately, making PCI DSS compliance easier for our customers.
In 2017, we made the decision as a business to become certified to the highest level of PCI DSS accreditation available, to recognise our commitment to security and to also bring great benefits to our customers. I’m proud to announce we have now achieved this goal! This post serves to give some background as to what this means for our customers and for our platform.
What is PCI?
Everyday, consumers are making payments online and trusting businesses with their personal details. How can they be sure their Service Providers, who so readily accept and retain these details, are taking the appropriate measures to secure them? This is where the Payment Card Industry Data Security Standard (PCI DSS) comes in.
The Payment Card Industry Data Security Standard (PCI DSS) is a series of security requirements that have been designed to ensure businesses who handle sensitive cardholder data, at any point in the transaction, are doing so as safely as possible. The standards are not law in the UK, although merchants who don’t comply and are involved in a breach may be subject to fines or costly forensic audits.
Who does it affect?
PCI DSS applies to any company that accepts, processes, stores or transmits sensitive customer payment information. This means all entities involved throughout the end-to-end transaction process must be compliant, including merchants, processors acquirers, issuers, and service providers.
blubolt as a Service Provider
No matter how many transactions your business handles, PCI DSS compliance is mandatory and there are different levels based on the volumes of transactions processed. As an eCommerce platform provider, we are termed a ‘Service Provider’ by the PCI Security Standards Council. We’ve always taken the necessary measures to ensure our clients and website customers are secure online by complying with PCI DSS and industry security standards.
Retailers who use Service Providers that are PCI compliant at a Level 1 accreditation can ‘check-off’ aspects of their eCommerce site for compliance, saving time, money, and resources. It’s one less step our customers, as the merchant, need to take to ensure their own customers are transactionally secure. In order to achieve PCI DSS Level 1 Accreditation as a Service Provider, we have to undergo a range of checks and tests to our systems to comply with the 12 steps detailed by the PCI Data Security Standard. These largely relate to our processes and technical configuration and provide a guarantee that our systems are secure.
Our approach to PCI DSS compliance
One of the best ways to manage PCI DSS compliance is to reduce the scope by having the minimum number of systems processing or accessing sensitive cardholder data. As part of improvements to our platform, we now process payments through a dedicated, highly secure system called bluCommerce Pay.
When customers choose to pay by card, we seamlessly include bluCommerce Pay in an iFrame in the payment step of checkout to collect and process the card details, which then integrates with your payment gateway (e.g. Sagepay or Verifone). By doing this, we keep the highly sensitive cardholder data away from the main bluCommerce platform.
bluCommerce Pay operates independently from bluCommerce, implemented using a secure-by-design philosophy, with multiple security controls and policies at every level to meet the PCI requirements. Amazon Web Services infrastructure and services are used to ensure best-in-class availability, reliability and security.
Partnering with leading security consultants, CNS Group, our bluCommerce Pay security stance and controls are tested regularly using a range of vulnerability testing tools, and regular penetration tests are carried out on the service.
Their recent achievement of securing PCI Level 1 compliance is a further testament to their hard work and technical approach. CNS Group are delighted to have been involved in that significant achievement and look forward to working with blubolt in the future as they continue to reinforce their impressive cyber posture.
Geoff Bradley, Principal IA Consultant, CNS Group