Earn Customer Trust and Protect Their Card Data

Working with us automatically protects your customers' sensitive payment card information, which is crucial for the success of your e-commerce business.
Background decoration
Achieving and maintaining compliance with PCI-DSS (Payment Card Industry - Data Security Standard) is a vital step towards safeguarding your website against potential attacks and securing your reputation as a trusted merchant. Our compliance services cover the entire infrastructure stack, including themes, plugins, data centers, backups, and DNS, ensuring it meets the rigorous standards set by the PCI-DSS. By partnering with us, you can mitigate non-compliance risks and protect your business from potential fines, loss of banking services, and reputational damage.

Preventing Payment Processing Fraud

Digital art of website security.
Payment processing fraud is a significant concern for e-commerce websites, but with our PCI services, you can fortify your defenses. We provide comprehensive fraud prevention measures to help you combat high-risk transactions effectively. Potentially negative impacts are:
  • The merchant loses access to banking services and can no longer accept online payments.
  • The bank requires a 3rd party auditor to review the website and fix security gaps.
  • Disruption to business operations as the merchant has to change service providers, hosting services, and website design.
  • Pay fines, auditor fees, and system updates.
  • Search engines remove the website domain name from their index due to malware infection.
  • Lose clients because regulation requires notifying them of security breaches.

Mitigating Credit Card Fraud

Credit card fraud is a purchase made from a stolen card number when the cardholder claims it was not theirs. Merchants have many options to protect themselves, including:
  • Reject transactions with an invalid CVV code. Those are the three or 4-digit codes on the card.
  • Enable 3DS. That transfers the financial loss for stolen cards to the bank. An alternative to getting higher acceptance rates is a 3rd party service.
  • Geolocate the IP address of the web browser and only allow clients from valid areas of business.
  • Validate the provided billing address using AVS (Address Validation Service). Corporate and prepaid cards may not support AVS.
  • Reject transactions from an IP address that makes too many purchases or tries too many card numbers.
  • Limit the number of transactions with the same card number.
  • Only refund money to the credit card number that made the purchase.
  • Avoid high-dollar-value purchases.
  • Reject credit cards from foreign countries.
  • Reject less secure card brands.
Digital art of website security.

Reducing Chargebacks

A chargeback is when the client bank forces a refund. The merchant gets fined when that happens. Chargeback rates over 1% of transactions start causing issues for the merchant. Steps to reduce chargebacks include:
  • Delay billing the customer until they receive the merchandise.
  • State the conditions for a return on the receipt.
  • Put a name recognizable to the client on their credit card statement.
  • Keep journals for prior chargebacks to identify recurrences.
  • Sign up with Ethoca and Verifi to get notified of pending claims.
  • Confirm online purchases with an email or text message.
  • Suppress double payments to the same credit card.

Cloud Services

Services and data centers used by an e-commerce website must comply with PCI standards. That includes the DNS, backups, firewalls, and even wiping data from disks after finishing with them. Providers must follow the PCI process for everything and only use PCI-certified services. Small vendors, such as those developing plugins, applications, and themes, are unaware they are in the scope of PCI oversight.
Digital art of website security.

Web Browser Security

The website administrator can take steps to improve the security of the network connection between the web server and browser. The following chart shows the percentage of websites taking security precautions with various security settings, and there is a description for each further down.
HTTP Security Headers

XSS (Cross-Site Scripting)

XSS is when the browser collects data from one website and pushes it to another using JavaScript code. The protection gets enabled by default. It must remain enabled for e-commerce websites.

No Frames

A website frame or iframe is a web page inside a web page with the web browser firewalling communication between them. Many banking services use them to reduce the security risk for merchants. That design pattern connects the iframe to the bank's website and the surrounding page to the merchant's website.

HSTS (HTTP Strict Transport Security)

HSTS forces connections from HTTP to HTTPS. It protects against spoofed DNS responses that send requests to compromised websites. HSTS has a basic and more advanced option. The basic one triggers after the first connection and remains in place based on the timing set by the server. The user can clear it, but not with the standard history removal. An enhanced option protects the first connection to the website by embedding HSTS within the web browser. The website administrator enables the enhanced option by submitting the domain name to a registry service. There is no PCI requirement for HSTS; only a tiny fraction of websites implement it, but the growth rate is substantial.

Content Security Policy

The CSP (Content Security Policy) restricts where the web page can get content. Each object type, such as HTML or an image, can have a different setting. E-Commerce sites typically only allow the merchant web server to provide content except for the iframe object used to push credit card data to the bank.

Domain Name Services

DNS (Domain Name Services) converts readable names into IP addresses used by the web browser to make network connections. However, there are several additions to the standard to increase security.

DNS Service Provider

The DNS service provider is in scope for PCI-DSS, meaning they must attest to meeting that standard. Many providers have yet to comply.
Percent of Domains with DNS CAA Record


CAA (Certificate Authority Authorization) is a DNS record type. Web browsers look up the value when securing a network connection to a website. If the record exists, it restricts the allowed certificate authority. It prevents fraudsters from generating fake certificates from a compromised provider. Only 3% of websites have a CAA record, but usage continues to rise. The Payment Card Industry does not require it.


DNS SEC (Domain Name System Security Extension) protects against alteration of the DNS data packet. The standard is ancient for the internet, but DNS service providers enabled it in the last few years. The following chart shows very few websites use secure DNS, but there is a high growth rate. It is not a requirement for PCI compliance.
Percent of Domains with DNS SEC record

HTTPS Network Connection

An HTTPS connection encrypts data transmission between the web browser and the server. It protects passwords and credit card numbers. However, it does not hide communication endpoints or the volume of data sent. Those additional protections come from using the dark web.
PCI requires data transmission through HTTPS connections. Websites enable HTTP services strictly to redirect traffic onto HTTPS. Multiple internet initiatives encourage using HTTPS. They include browser warnings when entering form data, free SSL certificate services, and hardware acceleration for encryption processing. The following chart shows the percentage of websites serving content using HTTPS only, HTTP only, and both. E-Commerce sites must be HTTPS only.
Percent of Domains Using HTTP and HTTPS

TLS Protocol

HTTPS encrypts network traffic using TLS (Transport Security Layer). It's the same protocol used by email, server login, and other public domain services with encrypted data transmission. The supported versions are 1.2 and 1.3. One of the versions will work on any web browser released in the last 12 years and for many years into the future. Operating systems carry some unsupported TLS versions, including TLS 1.1, 1.0, and SSL 3.0. The web server must force web browsers to use the current ones.
The following two charts show the percentage of websites by the newest and oldest versions of TLS.
Newest Supported TLS Protocol
Oldest Supported TLS Protocol

TLS Configuration

The TLS protocol negotiates a cipher suite between the web browser and the server. A cipher suite is a set of algorithms and keys to encrypt network communication. Due to the continual evolution of security protocols, over 100 are in active use. The server must reject the insecure options while extending backward and forward compatibility with web browsers.

Public Key Length

Most websites use an RSA 2048-bit key. Shorter RSA bit lengths are no longer secure. The 4096-bit option is slower due to the increased computational requirement. The newer elliptic keys provide the same level of security with a much shorter length. The 224 bits option is more secure than RSA in 2048. The longer Elliptic Keys are far safer and have the scalability to protect against quantum computing attacks.

Certificate Lifespan

The Payment Card Industry requires HTTPS certificate rotation at least once a year to protect against undetected theft. Some certificate authorities give out multi-year certificates. Our solutions rotate keys, and all other security materials, every 90 days.
Image of a lock in the middle of a high-tech network space to emphasize certification with the Payment Card Industry - Data Security Standard


Some certificate authorities support OCSP (Online Certificate Status Protocol). It allows website administrators to disable a public key at any time. That becomes useful when there is a concern about theft. The web browser and certificate authority implement the protocol. The Payment Card Industry lists OCSP as a best practice.


AEAD (Authenticated Encryption and Associated Data) add metadata to the encrypted payload. It is embedded into TLS 1.3 and is not available in earlier versions. All current web browsers support AEAD. The best practice is defaulting connections to TLS 1.3 to get AHEAD and only fallback to older versions for web browsers released before 2020 that lack support.

SHA1, DES, RC4, and MD5

SHA1, DES, RC4, and MD5 are out-of-date and no longer secure. Only TLS 1.2 accepts them and not 1.3. Newer operating systems have started to drop their software drivers, but the web server must block them from being offered to the web browser when setting up HTTPS connections.

Network Security

Network design is vital to PCI. Anything inside the same network segment as an e-commerce server and not isolated with a firewall is within scope, even if it never interacts with e-commerce systems. So the best practice is creating a network segment just for e-commerce services.
Networking Zones with Private Network

Private Networks

A private network is a PCI requirement. A private network exists for any device using a private IP address. There are several private address ranges. The public internet rejects all private IPs. The private network uses NAT (Network Address Translation) to transform requests between the public and private networks. The private network gets cut into zones or subnets. Only the DMZ (Demilitarized Zone) connects to the internet. Servers in other zones reach the internet through services in the DMZ. That creates a layered defense that is harder for an attacker to penetrate. The following diagram shows a standard network architecture.

Network Firewall

A network firewall blocks internet access to internal services. The capabilities of a commercial firewall typically include the following:
  • Block TCP SYN or Denial Of Service (DOS) attacks that flood the website with half-open network connections.
  • Block IP spoofing, which protects against the takeover of user sessions.
  • Block outbound connections while allowing inbound. That prevents the removal of stolen data.
  • Reflect nothing in response to blocked services, which makes it harder for the attacker to fingerprint the technology and reduces system loading.
  • Inspect the networking metadata used to route application messages and block anything suspicious.
The following chart shows the percentage of domains with common firewall vulnerabilities. See below for descriptions of each term. Infrastructure Security
Administrative Ports need multifactor authentication, firewalls limiting which client IP address can connect, or both. Administrative ports include operating system login and website administration.
Databases are the most common service exposed to the internet without an application firewall. They get optimized for low latency and high throughput, so they lack the protection of an application firewall.
Hosting refers to any server running multiple websites on a single server without a PCI exception to do so.
Encrypted Services protect data transmitted over the internet. Most email service providers support clear text or unencrypted connections. That makes it easy for a man-in-the-middle attack to capture details like login credentials. Many hosting providers expose unencrypted services on the same IP address as the web server. That pulls them into PCI scope unless they have compensating controls signed off by PCI indicating otherwise.

Web Application Firewalls

A WAF (Web Application Firewall) works on the HTTP protocol. It inspects all traffic and rejects suspicious messages. There are many types of suspicious communications. The more common are:
  • The same IP address makes too many requests within a few seconds.
  • Web site input forms that look like SQL Injection and brute force password cracks.
  • Programming requests not used by the website. Examples include the HTTP commands DEBUG, OPTIONS, DELETE and PUT.
  • User inputs that attempt to overflow what the website can safely manage. Cyber attackers do that to push the service into a vulnerable state.

Firewall Layering

Firewall layers go from 1 to 3. Layer 1 is fast but only protects networking ports. Layer 2 has more sophisticated firewall rules because it links multiple network packets between a pair of endpoints. Layer 3 inspects application-level protocols, which means HTTP for websites. Requests from the internet should pass through each layer in order.
The second meaning of layering is to place a firewall between internal services. Typically that means a network firewall between the web server and the database. It forces an attacker to penetrate multiple systems before reaching client data. The following chart shows the firewall layers and multilayered firewalls. Some designs call layer-three firewalls a proxy and place a layer-two firewall behind it. A second alternative places two layer-two firewalls from different vendors facing the internet.
Private Network Zones

Operating System Security

Operating system security applies to the steps taken when installing, configuring, and maintaining software on the server.

Software Currency

The chart below shows that 52% of WordPress websites required updating. A higher percentage will not apply security patches once the website goes online. The PCI standard is for the entire software stack to be on supported software versions with current patches applied to the operating system, programming language, SSL, web server, and more.
Wordpress Version Marketshare

Server Hardening

Server hardening updates default configurations to be more secure. It is complex. E-Commerce websites should stick to technologies that have a hardening guide. The CIS (Center for Internet Security) Benchmarks are popular and free hardening guides. They cover operating systems, Cloud platforms, web servers, and more. It provides commands for both auditing and hardening the configuration. The updates focus on the following:
  • Turn off unneeded network services.
  • Uninstall software not required by the website.
  • Block insecure access methods.
  • Audit activity on the system.

SQL Injection

SQL (Structured Query Language) injection attacks the code used to create input forms. A weakness exists when an input field gets copied into SQL statements and runs against the database. Say the legitimate purpose of an input field is to capture the user name.
SELECT password FROM users WHERE id=<value entered by user>
An attacker hijacks the input by entering a string like "joe OR 1=1" into the input field. Then the SQL becomes:
SELECT password FROM users WHERE id=joe OR 1=1
Since 1=1 is always true, the query returns passwords for all users. The responding window is messy, but the attacker will quickly extract the database table. Parameter binding is an alternative to string copies. It defeats attacks by restricting the value entered by the user name. In the given example, the user name includes the trailing spaces and programming logic.

Take Action Now to Secure Your Website

Secure your e-commerce website and protect your customers' payment card information by partnering with us for PCI compliance services. Safeguard your business from potential threats, ensure regulatory compliance, and gain the confidence of your customers. Don't leave your website's security to chance—click the button below to get started and protect your customers' payment card information today!
Our team of experts will guide you through the process, alleviate any concerns, and provide you with the peace of mind you deserve. We will directly respond to PCI auditors about the website and fix any gaps they may identify free of charge. Your website's security is our top priority, and we are here to help you every step of the way.